Information Technology Ris! Management Gi"eline A##en"i$ % & Ris! Assessment Instrctions Virginia Information Technologies Agency (VITA) ITRM Gi"eline 'EC()*+), A##en"i$ % & Ris! Management Gi"eline Assessment Instrctions Effecti-e %ate. ,/0,,0/))* TA1LE OF CONTENT' 23R2O'E4 CA3TION' 5 FORMAT 666666666666666666666666666666666666666666666666666666666666666666666666666, E7AM2LE RI'8 A''E''MENT6666666666666666666666666666666666666666666666666666666666666666666666666666666666/ RI'8 A''E''MENT RE2ORT TEM2LATE6666666666666666666666666666666666666666666666666666666666669: Appendix D, page i 23R2O'E4 CA3TION' 5 FORMAT 23R2O'E This document contains instructions to implement the methodology described in Section 6 (is! Assessment) of the Information Technology (IT) is! "anagement #uideline, IT" #uideline S$%&&'6(')* This document is Appendix D of that #uideline, and is published under separate co+er because of its si,e* This template does not stand alone and should be read only in con-unction .ith the #uideline* The purpose of this document is to assist each %ommon.ealth of Virginia (%/V) Agency in assessing the ris!s to its sensiti+e IT systems and data, and protecting the resources that support the Agency0s mission* These instructions are based on the 1ational Institute of Standards and Technology (1IST) Special 2ublication (S2) 3''(4', 5is! "anagement #uide for Information Technology Systems6 and contain a recommended format for %/V ris! assessments* CA3TION' REGAR%ING 3'E OF THI' %OC3MENT The example ris! assessment in this document7 )* Does not document compliance .ith all re8uirements of the %/V IT" IT Security Policy, IT Security Standard and IT Security Audit Standard. These omissions are designed to illustrate control .ea!nesses, and must not be construed to relie+e any %/V Agency of its responsibility to comply .ith all applicable re8uirements of IT Security Policy, IT Security Standard and IT Security Audit Standard. 9* %ontains the names of fictional indi+iduals, corporations, and products* 1o similarity to any actual persons, li+ing or dead, nor to any actual corporation or product, past, present, or future, is intended* In addition no such similarity to any actual corporation or product, past, present, or future may be construed to represent an endorsement of any such corporation or product* FORMAT This document uses different fonts for instructions and examples, as follo.s7 Times 1e. oman text, including all of the text in this section, is pro+ided as instructions for completing a ris! assessment* Appendix D, page ) Arial Bold text inside a shaded text border is example text* In the examples, the template uses a fictional system called the :udget ;ormulation System (:;S), o.ned and operated by the ;inancial /perations Di+ision (;/D) of a fictional agency called the :udget ;ormulation Agency (:;A)* Times New Roman italic text is pro+ided as bac!ground information* It is pro+ided for better understanding of ho. to complete each section of the is! Assessment eport, or so that the author !no.s to extend or replicate a section, such as by adding Agency<specific threats or +ulnerabilities to the ris! matrix* This document consists of t.o primary sections7 o An example ris! assessment, .ith instructions and explanatory material for :;S* This section is intended to pro+ide guidance to %/V agencies on ho. to complete ris! assessments of their sensiti+e IT systems* o A blan! is! Assessment eport containing the section headings and tables from the recommended format is! Assessment eport, but no content* This section is intended for use by %/V agencies in completing is! Assessment eports for their sensiti+e systems* E7AM2LE RI'8 A''E''MENT The example is! Assessment begins .ith the co+er sheet on the follo.ing page* Appendix D, page 9 $xample is! Assessment eport Information Technology Risk Assessment For Budget Formulation Agency Budget Formulation System Version 1.0 uly !00" #re$ared For% Budget Formulation Agency Financial &$erations 'i(ision 1!) *. *lm Street Richmond+ VA !)!,, #re$ared By% Budget Formulation Agency Financial &$erations 'i(ision 1!) *. *lm Street Richmond+ VA !)!,, Appendix D, page 4 $xample is! Assessment eport Risk Assessment Annual Document Review History Re(ie- 'ate Re(ie-er uly+ !00. ane ones uly+ !00/ ane ones The conditions of the ris! assessment change as the agency0s business en+ironment changes* e+ie. the ris! assessment annually (or more fre8uently) to reflect those changes and impro+e the +alidity of the assessment* Appendix D, page = $xample is! Assessment eport Appendix D, page & TAB0* &F 1&2T*2TS 1 I2TR&'31TI&2 ....................................................................................................... " ! IT S4ST*5 16ARA1T*RI7ATI&2 ......................................................................... , ) RIS8 I'*2TIFI1ATI&2 .......................................................................................... 19 9 1&2TR&0 A2A04SIS ........................................................................................... !0 . RIS8 0I8*0I6&&' '*T*R5I2ATI&2 ................................................................. )! / RIS8 I5#A1T A2A04SIS ...................................................................................... ). " &V*RA00 RIS8 '*T*R5I2ATI&2 ...................................................................... ): : R*1&55*2'ATI&2S ........................................................................................... 91 , R*S30TS '&135*2TATI&2 .............................................................................. 99 0IST &F *;6IBITS 0IST &F FI<3R*S FI<3R* 1% IT S4ST*5 B&32'AR4 'IA<RA5 .................................................................... 1 ) FI<3R* !% I2F&R5ATI&2 F0&= 'IA<RA5 ......................................................................... 1) $xample is! Assessment eport
Appendix D, page 6 LIST OF TABLES TAB0* A% ....................................................................................... RIS8 10ASSIFI1ATI&2S : TAB0* B% ITS4ST*5 I2V*2T&R4 A2' '*FI2ITI&2 . *RR&R% R*F*R*21* S&3R1* 2&T F&32' TAB0* 1% ........................................................................................... T6R*ATS I'*2TIFI*' *RR&R% R*F*R*21* S&3R1* 2&T F&32' TAB0* '% .............................................................. T6R*ATS+ V302*RABI0ITI*S+ A2' RIS8S 1: TAB0* *% .......................................................................................... S*13RIT4 1&2TR&0S *RR&R% R*F*R*21* S&3R1* 2&T F&32' TAB0* F% RIS8S>1&2TR&0S>FA1T&RS 1&RR*0ATI&2 ...................................................... )0 TAB0* <% ............................................................................ RIS8 0I8*0I6&&' '*FI2ITI&2S *RR&R% R*F*R*21* S&3R1* 2&T F&32' TAB0* 6% ................................................................................. RIS8 0I8*0I6&&' RATI2<S *RR&R% R*F*R*21* S&3R1* 2&T F&32' TAB0* I% RIS8 I5#A1T RATI2< '*FI2ITI&2S ........ *RR&R% R*F*R*21* S&3R1* 2&T F&32' TAB0* % RIS8 I5#A1T A2A04SIS ........................ *RR&R% R*F*R*21* S&3R1* 2&T F&32' TAB0* 8% ........................................................................... &V*RA00 RIS8 RATI2< 5ATRI; $xample is! Assessment eport , INTRO%3CTION The introduction should briefly describe the purpose of this ris! assessment and include a brief description of the approach used to conduct the ris! assessment* The description of the approach should include7 The participants and their roles in the ris! assessment in relation to their assigned responsibilities at the agency> The techni8ues used to gather the necessary information (e*g*, the use of tools, 8uestionnaires)> and The ris! classifications used* Agencies are encouraged to classify ris!s as ?igh, "oderate or @o. in accordance .ith the definitions in the Standard 1 * The definitions of ris! classifications should be included in Table A of the is! Assessment eport* 1 Introduction Staff of the 1ommon-ealth of Virginia ?1&V@ Budget Formulation Agency ?BFA@ $erformed this risk assessment for the Budget Formulation System ?BFS@ to satisfy the reAuirement of ITR5 Standard S*1.01>01 to $erform an assessment at least e(ery ) years or -hene(er a maBor change is made to a sensiti(e system. The last risk assessment for this system -as com$leted on uly 10+ !009. This risk assessment Cuilds u$on earlier risk assessments $erformed Cy the Budget Formulation Agency staff. In addition+ an IT Security Audit+ conducted Cy BFA Internal Audit Ser(ices staff on une !9+ !00" -as utiliDed. This risk assessment -as $erformed in accordance -ith a methodology descriCed in ITR5 <uideline S*1.0;>0;+ and utiliDed inter(ie-s and Auestionnaires de(elo$ed Cy BFA staff to identify BFS VulneraCilitiesE ThreatsE RisksE Risk 0ikelihoodsE and Risk Im$acts. In addition+ the risk assessment utiliDed ITRS8+ an automated risk assessment tool. #artici$ants and their roles in this risk assessment included the follo-ing% ane ones+ BFA Information Security &fficer+ re(ie-ed the Risk Assessment re$ort $rior to com$letionE 1 These definitions are based on definition in ;ederal Information 2rocessing Standards 2ublication )AA (;I2S )AA) Appendix D, page B $xample is! Assessment eport ohn ames+ BFS System &-ner+ managed the risk assessment $rocess+ using BFA Information Risk 5anagement staff to conduct the risk assessment+ as -ell as $ro(iding information through inter(ie-s and com$leting Auestionnaires. 5ike =illiams+ BFS 'ata &-ner+ $ro(ided information through inter(ie-s and through com$leting AuestionnairesE Bill 5ichaels+ BFS 'ata &-ner+ $ro(ided information through inter(ie-s and through com$leting AuestionnairesE Bea RoCerts+ of #artner Systems+ Inc. ?#SI@+ BFS 'ata 1ustodian+ o$erational and technical su$$ort staff+ and BFS System Administrators $ro(ided reAuired technical information regarding BFS+ and $ro(ided information through inter(ie-s and Auestionnaires. Table A defines the risk leels !hi"h, moderate, low# ado$ted to classify risks to the A"ency, in the context of the %IA. TaCle !% Risk 0e(els Appendix D, page 3 TaCle A% Risk 1lassifications Risk 0e(el Risk 'escri$tion 6igh The loss of confidentiality+ integrity+ or a(ailaCility could Ce ex$ected to ha(e a se(ere or catastro$hic ad(erse effect on organiDational o$erations+ organiDational assets+ or indi(iduals. 5oderate The loss of confidentiality+ integrity+ or a(ailaCility could Ce ex$ected to ha(e a serious ad(erse effect on organiDational o$erations+ organiDational assets+ or indi(iduals. 0o- The loss of confidentiality+ integrity+ or a(ailaCility could Ce ex$ected to ha(e a limited ad(erse effect on organiDational o$erations+ organiDational assets+ or indi(iduals. $xample is! Assessment eport / IT ';'TEM CHARACTERI<ATION IT system characteri,ation defines the scope of the ris! assessment effort* Cse the pre+iously( de+eloped IT System In+entory and Definition Document (Appendix : of the #uideline) as input for this step> some additional information is re8uired* The purpose of this step is to identify the IT system, to define the ris! assessment boundary and components, and to identify the IT system and data sensiti+ity ! BFS Identification 9*) IT System Identification Include in the is! Assessment eport the pre+iously de+eloped IT System In+entory and Definition Document* Appendix D, page A TaCle B% IT System In(entory and 'efinition IT System Inventory and Definition Document I. IT System Identification and Ownership IT System ID BFA>001 IT System Common ame Budget Formulation System ?BFS@ Owned By Budget Formulation Agency ?BFA@ Financial &$erations 'i(ision ?F&'@ !hysica" Location BFA 'ata 1enter 1!) *. *lm Street+ Richmond+ VA !)!,, #a$or Business Function *naCle $rocessing of current>year Cudget details and future>year Cudget $lans System Owner !hone um%er ohn ames ?:09@ ,",>)"." System Administrator&s' !hone um%er #artner Systems+ Inc. ?:::@ ,:,>:,:, Data Owner&s' !hone um%er&s' 5ike =illiams ?:09@ ,",>)9.! Bill 5ichaels ?:09@ ,",>)9.. Data Custodian&s' !hone um%er&s' Bea RoCerts #artner Systems+ Inc. ?:::@ ,:,>:,:, Other (e"evant Information BFS has Ceen in $roduction since 'ecemCer 1,,/ $xample is! Assessment eport Appendix D, page )' TaCle B% System In(entory and 'efinition ?continued@ II. IT System Boundary and Components IT System Description and Components BFS is a distriCuted client>ser(er a$$lication trans$orted Cy a net-ork $ro(ided Cy #SI+ a third>$arty. The maBor com$onents of the BFS include% F A S$arc S32=+ 3ltra *nter$rise ).00 ser(er running Sun&S .." ?Solaris "@. The ser(er has four ?9@ $rocessors running at !9: 56D+ !09: 5B of memory+ 9 SBus cards+ 9 #1I cards+ and total disk storage ca$acity of )/:./ <B ?)/ dri(es x 10 <B@. This system is $ro(ided to BFA under contract Cy #SI+ and this Risk Assessment relies on information regarding system hard-are and &$erating System soft-are $ro(ided to BFA Cy #SI. F &ne ?1@ net-ork interface that is connected to BFAGs data center 1isco s-itch. This interface is assigned t-o uniAue I# addresses. F An &racle ,i data store -ith t-o ?!@ commercial off>the>shelf ?1&TS@ a$$lication modules ?AB1 and ;47@ $urchased from &racle 1or$oration. IT System Interfaces F An interface Cet-een BFS and the Budget 1onsolidation System ?B1S@. This interface allo-s only the B1S to securely transmit data using the Secure 1o$y #rotocol ?S1#@ on $ort !! into the BFS nightly Cy a cron BoC that refreshes taCles in the BFS &racle store -ith selected data from B1S taCles. F A modem for emergency dial>in su$$ort and diagnostics+ secured (ia the use of a one>time $ass-ord authentication mechanism. F 1lient soft-are located -ithin the AgencyGs =indo-s !00) Ser(er Acti(e 'irectory 'omain to manage access to BFS. This soft-are utiliDes encry$ted communications Cet-een the client and the ser(er and connects to the ser(er on $ort 1.!1. &nly users -ith the a$$ro$riate rights -ithin the BFA 'omain can access the client soft-are+ although a se$arate client login and $ass-ord is reAuired to gain access to BFS data and functions. This access is Cased on &racle roles and is granted Cy the BFS system administrators to users Cased on their BoC functions. IT System Boundary F The demarcation Cet-een the BFS and the 0ocal Area 2et-ork ?0A2@ is the $hysical $ort on the 1isco s-itch that connects the BFS to the net-ork. The s-itch and other net-ork com$onents are not considered to Ce $art of the BFS. F BFS su$$ort $ersonnel $ro(ide the o$eration and maintenance of the a$$lication. The BFS $ersonnel $ro(ide the o$eration and maintenance of the ser(er and o$erating system. The BFS Coundary is the follo-ing directories and their suC> suCdirectories% H(arHo$tH&racle+ HdataCasesH&racle+ and Ho$tHodCc. &ther directories are outside the BFS Coundary. F BFS is res$onsiCle for recei(ing data from the B1S. The B1S is a se$arate system and is outside the BFS Coundary. F 1lient access to the BFS ser(er is controlled Cy BFAGs =indo-s !00) Ser(er Acti(e 'irectory domain. This access are included -ithin the BFS system Coundary. The o(erall BFA =indo-s !00) Ser(er Acti(e 'irectory domain+ ho-e(er+ is not considered to Ce $art of the BFS+ and is outside the BFS Coundary. $xample is! Assessment eport Appendix D, page )) TaCle B% System In(entory and 'efinition ?continued@ III. IT System Interconnections A)ency or Or)ani*ation IT System ame IT System ID IT System Owner Interconnection Security A)reement Summary BFA Budget 1onsolidation System B1S ohn ames 2o formal agreement reAuired+ as systems ha(e common o-ner #artner Ser(ices+ Inc. ?#SI@ *nter$rise 'ata 2et-ork *'2 Bea RoCerts Agreement is in $laceE ex$ires 1!H)1H!00"E under renegotiation I+. IT System and Data Sensitivity Type of Data Sensitivity (atin)s Inc"ude (ationa"e for each (atin) Confidentia"ity Inte)rity Avai"a%i"ity 1urrent 4ear Budget 'etails 0o- 'ata is $uClic information 6igh BFS is system of record for fiscal year Cudget data for all 1&V Agencies 5oderate 'ata is used less than daily Cy all 1&V Agencies to allocate resources Future 4ear Budge #lans 6igh Release of the data Cefore it is final could Ce damaging to 1&V and its Agencies 5oderate BFS is system of record for future year Cudget $lans for all 1&V Agencies 0o-H6igh 0o- during most of yearE high during Cudget $re$aration Overa"" IT System Sensitivity (atin) and C"assification Overa"" IT System Sensitivity (atin) Must be high if sensitivity of any data type is rated high on any criterion ,I-, #ODE(ATE LO. IT System C"assification Must be Sensitive if overall sensitivity is high; consider as Sensitive if overall sensitivity is moderate SESITI+E O/SESITI+E $xample is! Assessment eport 9*9 IT System :oundary D %omponents included in the is! Assessment Csing the system boundary information already documented in Table : (see Section 4*9*4 of the #uideline), +erify that the components that are included in this ris! assessment are defined, and components not included are defined as appropriate* If the IT System under assessment connects or shares data .ith other IT Systems, ris!s associated .ith these other IT Systems should be considered in the ris! assessment, e+en though the other IT Systems themsel+es .ill not be reassessed* In most cases, the com$onents included in the risk assessment will be the same as those within the system boundary !see section &.'.& of the Risk (ana"ement )uideline#. A"encies, howeer, must make an affirmatie decision re"ardin" com$onents included in the risk assessment, includin" ma*or com$onents that could create risk for the IT system. +or exam$le, an IT system !System A# may make use of a third,$arty network infrastructure, but since the third,$arty network is sub*ect to a se$arate risk assessment, should not be assessed a"ain. -oweer, the System A risks assessment should reference the network risk assessment, and hi"hli"ht any $ertinent network risks. .stablishin" $arameters in which the system o$erates "uarantees consideration of all releant threats, ulnerabilities and risks, and an ex$licit decision as to the sco$e of the assessment. The key $art of definin" the com$onents included in the risk assessment is to look at where IT systems meet and to define where the diidin" line is located. This a$$lies not only to $hysical connections, but also to lo"ical connections where data is exchan"ed. The owner!s# of this system and the owner!s# of the interconnected systems must a"ree on the com$onents included in the risk assessment of each system, so that all com$onents are the res$onsibility of someone, and no com$onents are coered more than once. In the eent that the IT system seres more than one A"ency, the details of this use should be clearly defined in a written a"reement. The a"reement between system owners should be based on non,arbitrary characteristics, such as fundin" boundaries, functional boundaries, $hysical "a$s, contractual boundaries, o$erational boundaries and transfer of information custody. 9*4 Additional IT System Documentation In addition to the System In+entory and Definition document, include in this section of the is! Assessment eport7 A description or diagram of the system and net.or! architecture, including all components of the system and communications lin!s connecting the components of the system, associated data communications and net.or!s* A description or a diagram depicting the flo. of information to and from the IT system, including inputs and outputs to the IT system and any other interfaces that exist to the system* Appendix D, page )9 $xample is! Assessment eport Appendix D, page )4 Figure 1% IT System Boundary 'iagram
A high>le(el diagram de$icting the BFS information flo- is $ro(ided in Figure !. Figure !: Information Flo- 'iagram
BFS BCS Client
Output is stored in electronic format and is printed for archival purposes and includes: Current Year Budget Details Future Year Budget Plans The BFS listener listens for client connections on TCP port !" and for SCP connections on port ""# Budget data generated $% BCS is pushed to BFS nightl% using a cron &o$# The Secure Cop% Protocol 'SCP( is used to securel% perform this operation# )sers manuall% enter *ee+l% and monthl% $udget figures# Communication to,from BFS utili-es a proprietar% protocol that encr%pts all data at the pac+et level# $xample is! Assessment eport = RI'8 I%ENTIFICATION The purpose of this step is to identify the ris!s to the IT system* is!s occur in IT systems .hen +ulnerabilities (i*e*, fla.s or .ea!nesses) in the IT system or its en+ironment can be exploited by threats (i*e* natural, human, or en+ironmental factors)* +or exam$le, /racle 0i will sto$ res$ondin" when sent a counterfeit $acket lar"er than 12,222 bytes. This flaw constitutes a ulnerability. A malicious user or com$uter criminal mi"ht ex$loit this ulnerability to sto$ an IT system from functionin". This $ossibility constitutes a threat. This ulnerability,threat $air combines to create a risk that an IT system could become unaailable. The process of ris! identification consists of three components7 )* Identification of +ulnerabilities in the IT system and its en+ironment> 9* Identification of credible threats that could affect the IT system> and 4* 2airing of +ulnerabilities .ith credible threats to identify ris!s to .hich the IT system is exposed* After the $rocess of risk identification is com$lete, likelihood and im$act of risks will be considered. ) Risk Identification 4*) Identification of Vulnerabilities The first component of ris! identification is to identify +ulnerabilities in the IT system and its en+ironment* There are many methodologies or frame.or!s for determining IT system +ulnerabilities* The methodology should be selected based on the phase of the IT system is in its life cycle* ;or an IT system7 In the 2ro-ect Initiation 2hase, the search for +ulnerabilities should focus on the organi,ations IT security policies, planned procedures and IT system re8uirements definition, and the +endor0s security product analyses (e*g*, .hite papers)* In the 2ro-ect Definition 2hase, the identification of +ulnerabilities should be expanded to include more specific information* Assess the effecti+eness of the planned IT security features described in the security and system design documentation* In the Implementation 2hase, the identification of +ulnerabilities should also include an analysis of the security features and the technical and procedural security controls used to protect the system* These e+aluations include acti+ities such as executing a security self(assessment, the effecti+e application of automated +ulnerability scanningEassessment tools andEor conducting a third(party penetration test* /ften, a Appendix D, page )= $xample is! Assessment eport mixture of these and other methods is used to get a more comprehensi+e list of +ulnerabilities* Include in the is! Assessment eport a description of ho. +ulnerabilities .ere determined* If a is! Assessment has been performed pre+iously, it should contain a list of +ulnerabilities that should be assessed to determine their continued +alidity* In addition, assess and document if any ne. +ulnerabilities exist* ).1 Identification of VulneraCilities BFS is in the im$lementation $hase of its life cycle. Accordingly+ identification of (ulneraCilities for BFS included% Inter(ie-s -ith the BFA System &-ner+ 'ata &-ner+ and BFA o$erational and technical su$$ort $ersonnelE 3se of the automated ITRS8 toolE and Re(ie- of (ulneraCilities identified in the $re(ious BFA Risk Assessment. Vulnerabilities that combine .ith credible threats (see Section 4*9) create a ris! to the IT system that .ill be listed in step 4*4 4*9 Identification of %redible Threats The purpose of this component of ris! identification is to identify the credible threats to the IT system and its en+ironment* A threat is credible if it has the potential to exploit an identified +ulnerability* Table %, at the end of this section, contains examples of threats* The threats listed in the table are pro+ided only as an example and are specific to the example :;S system* Agencies are encouraged to consult other threat information sources, such as 1IST S2 3''(4'* The goal is to identify all credible threats to the IT system, but not to create a uni+ersal list of general threats* Include in the is! Assessment eport a description of ho. threats .ere determined* If a is! Assessment has been performed pre+iously, it should contain a list of credible threats that must be assessed to determine their continued +alidity* In addition, assess and document if any ne. +ulnerabilities exist* Include a brief description of ho. credible threats .ere determined and a list of the credible threats in the is! Assessment eport* Appendix D, page )& $xample is! Assessment eport ).! Identification of 1rediCle Threats 1rediCle threats to the Budget Formulation System -ere identified Cy% 1onsulting the $re(ious BFS Risk Assessment and analyDing ho- the BFS threat en(ironment has changed in the $ast three yearsE Inter(ie-ing the BFS System &-ner+ 'ata &-ner+ and System Administrators to gather information aCout system>s$ecific threats to the BFSE and 3se of the automated ITRS8 tool to identify threats to the BFS. 4*4 Identification of is!s The final component of ris! identification is to pair identified +ulnerabilities .ith credible threats that could exploit them and expose the follo.ing to significant ris!7 IT system> The data it handles> and The organi,ation* In order to focus risk mana"ement efforts on those risks that are likely to materiali3e, it is im$ortant both to be com$rehensie in deelo$in" the list of risks to the IT system and also to limit the list to $airs of actual ulnerabilities and credible threats. +or exam$le, as noted at the be"innin" of section &, /racle 0i will sto$ res$ondin" when sent a counterfeit $acket lar"er than 12,222 bytes. This flaw constitutes ulnerability. A malicious user or com$uter criminal mi"ht ex$loit this ulnerability to sto$ an IT system from functionin". This $ossibility constitutes a Appendix D, page )6 TaCle 1% 1rediCle Threats Identified for the BFS Air 1onditioning Failure *arthAuakes 2uclear Accidents Aircraft Accident *lectromagnetic Interference #andemic Biological 1ontamination Fire ?5aBor or 5inor@ #o-er 0oss Blackmail FloodingH=ater 'amage SaCotage BomC Threats FraudH*mCeDDlement Terrorism 1hemical S$ills 6ard-are Failure Tornados+ 6urricanes+ BliDDards 1ommunication Failure 6uman *rror 3nauthoriDed Access or 3se 1om$uter 1rime 0oss of 8ey #ersonnel Vandalism andHor Rioting 1yCer>Terrorism 5alicious 3se =ork$lace Violence $xample is! Assessment eport threat. This ulnerability,threat $air combines to create a risk that an IT system could become unaailable. If an IT system runnin" /racle 0i is not connected to a network, howeer, such as the certificate authority for a Public 4ey Infrastructure !P4I# system, then there is no credible threat, and so no ulnerability,threat $air to create a risk. 2ro+ide a brief description of ho. the ris!s .ere identified, and prepare a table of all ris!s specific to this IT system* In the table, each +ulnerability should be paired .ith at least one appropriate threat, and a corresponding ris!* The ris!s should be numbered and each ris! should include a description of the results if the +ulnerability .as to be exploited by the threat* $nter the data into $xhibit ) (this data entry can be done by means of cutting and pasting)* ).) Identification of Risks Risks -ere identified for the BFS Cy matching identified (ulneraCilities -ith crediCle threats that might ex$loit them. This $airing of (ulneraCilities -ith crediCle threats is documented in TaCle '. All identified risks ha(e Ceen included. Table D, on the next page, documents example +ulnerabilities, threats and ris!s for the :;S* The list in Table D is an example and pertains only to the fictional :;S* Appendix D, page )B TaCle '% VulneraCilities+ Threats+ and Risks $xample is! Assessment eport Risk 2o. VulneraCility Threat Risk of 1om$romise of Risk Summary 1 =et>$i$e s$rinkler system in BFS 'ata 1enter. Fire A(ailaCility of BFS and data. Fire -ould acti(ate s$rinkler system causing -ater damage I com$ro> mising the a(ailaCility of BFS. ! BFS user identifiers ?I's@ no longer reAuired are not remo(ed from BFS in timely manner. 3nauthoriDed 3se 1onfidentiality I integrity of BFS data. 3nauthoriDed use of unneeded user I's could com$romise confidentiality I integrity of BFS data. ) BFS access $ri(ileges are granted on an ad> hoc Casis rather than using $redefined roles. 3nauthoriDed Access 1onfidentiality I integrity of BFS data. 3nauthoriDed access (ia ad>hoc $ri(ileges could com$romise of confidentiality I integrity of BFS data. 9 Bogus T1# $ackets ?J .0000 Cytes@ directed at $ort 1.!1 -ill cause BFS to sto$ res$onding. 5alicious 3se 1om$uter 1rime A(ailaCility of BFS and data. 'enial of ser(ice attack (ia large Cogus $ackets sent to $ort 1.!1 could render BFS una(ailaCle for use. . 2e- $atches to correct fla-s in a$$lication security design ha(e not Ceen a$$lied. 5alicious 3se 1om$uter 1rime 1onfidentiality I integrity of BFS data. *x$loitation of un> $atched a$$lication security fla-s could com$romise confidentiality I integrity of BFS data. / 3ser names I $ass-ords are in scri$ts I initialiDation files. 5alicious 3se 1om$uter 1rime 1onfidentiality I integrity of BFS data. *x$loitation of $ass-ords in scri$t I initialiDation files could result in com$romise of confi> dentiality I integrity of BFS data. " #ass-ords are not set to ex$ireE regular $ass-ord changes are not enforced. 5alicious 3se 1om$uter 1rime 1onfidentiality I integrity of BFS data. 1om$romise of unex$iredHunchanged $ass-ords could result in com$romise of confidentiality I integrity of BFS data. Appendix D, page )3 TaCle '% VulneraCilities+ Threats+ and Risks ?continued@ $xample is! Assessment eport Risk 2o. VulneraCility Threat Risk of 1om$romise of Risk Summary : K<enericL accounts found in the dataCase ?e.g.+ test+ share+ guest@. 5alicious 3se 1om$uter 1rime 1onfidentiality I integrity of BFS data. 3se of generic BFS accounts could result in com$romise of confidentiality I integrity of sensiti(e BFS data. , Remote &S authentication is enaCled Cut not used. 5alicious 3se 1om$uter 1rime 1onfidentiality I integrity of BFS data. Remote access is not currently used Cy BFSE enaCling this access -hen not necessary could result in com$romise of confidentiality I integrity of sensiti(e BFS data. 10 0ogin encry$tion setting is not $ro$erly configured. 5alicious 3se 1om$uter 1rime 1onfidentiality I integrity of BFS data. 3nencry$ted $ass-ords could Ce com$romised+ resulting in com$romise of confidentiality I integrity of sensiti(e BFS data. 11 Sensiti(e BFS data is stored on 3SB dri(es 5alicious 3se 1om$uter 1rime 1onfidentiality of BFS data. 0oss or theft of 3SB dri(es could result in com$romise of confidentiality of BFS data. Appendix D, page )A $xample is! Assessment eport 9 CONTROL ANAL;'I' The purpose of this step is to document a list of security controls used for the IT system* These controls should correspond to the re8uirements of the Policy, Standard, and Audit Standard. The analysis should also specify .hether the control is in(place (i*e*, current) or planned, and .hether the control is currently enforced* In the next step these controls are matched .ith the ris!s identified in Table D, in order to identify those ris!s that re8uire additional response* Table . is an exam$le of a security controls list that corres$onds to the re5uirements of the Policy, Standard, and Audit Standard. This list shows controls that are in,$lace, as well as those $lanned for im$lementation. 9 1ontrol Analysis TaCle * documents IT security controls $lanned and in $lace for the BFS system. Appendix D, page 9' $xample is! Assessment eport Appendix D, page 9) TaCle *% Security 1ontrols 1ontrol Area In>#laceH #lanned 'escri$tion of 1ontrols 1 Risk 5anagement 1.1 IT Security Roles I Res$onsiCilities In $lace 1. ReAuired IT Security roles ha(e Ceen assigned in -riting+ Coth for BFA as a -hole+ I for the BFS. ohn 6o-ard+ BFA 1ommissioner+ has designated ane ones as BFA IS& I delegated the assignment of other IT security roles to her. !. =ith res$ect to BFS+ ane ones has assigned indi(iduals to the reAuired IT security roles+ as documented else-here in this re$ort. 1.! Business Im$act Analysis In $lace 1. BFA management I staff conducted I documented a Business Im$act Analysis ?BIA@ of the Agency during une !009E this BIA -as u$dated in 5ay !00". The BFA BIA notes that the BFS su$$orts essential BFA functions. 1.) IT System I 'ata Sensiti(ity 1lassification In $lace 1. BFA has documented classification of the sensiti(ity of BFA IT systems I data+ including the BFS. This classification notes the high sensiti(ity of much of the data handled Cy the BFS. 1.9 IT System In(entory I 'efinition In $lace 1. BFA has documented an in(entory of its sensiti(e IT systemsE this in(entory includes the BFSE the System 'efinition of BFS is included in Section ! of this Risk Assessment re$ort. 1.. Risk Assessment In $lace 1. This re$ort documents the Risk Assessment of BFS in uly !00"+ Cuilding on an earlier BFS Risk Assessment in uly !009. #lanned !. BFA -ill (alidate the current Risk Assessment through annual self> assessments in uly !00: I uly !00,+ I -ill conduct the next formal BFS RA in uly !010+ or sooner+ if necessary. 1./ IT Security Audits In $lace 1. Anne 8eller+ BFA Internal Audit 'irector manages IT Security Audits for BFA. !. An IT Security Audit of BFS -as conducted I documented Cy BFA Internal Audit staff on une !9+ !00". ). ReAuired re$orting for the BFS 1A# is in $lace. #lanned 9. Future IT Security Audits of BFA are $lanned Ciennially. ! IT 1ontingency #lanning !.1 1ontinuity of &$erations #lanning In $lace 1. Sam RoCinson is the BFA 1ontinuity of &$erations #lan ?1&&#@ 1oordinator I also ser(es as the focal $oint for IT 1&&# I 'isaster Reco(ery ?'R@ acti(ities. !. The BFA 1&&# documents the reAuirements for !9>hour reco(ery of the BFS I its data to su$$ort Cudget $re$aration+ I "!>hour reco(ery of BFS I its data at other times. ). The BFA 1&&# identifies all $ersonnel reAuired for its execution+ including $ersonnel reAuired for reco(ery of the BFS+ I includes emergency declaration+ notification+ I o$erations $rocedures. 9. The 1&&# document is classified as sensiti(eE access to this document is restricted to 1&&# team memCers+ I a co$y of the 1&&# is stored off site at 'ata Reco(ery Ser(ices+ Inc.+ BFAGs reco(ery site $artner. .. Reco(ery $rocedures for BFS -ere most recently tested during BFAGs annual 1&&# exercise on 5ay 1:>!0+ !00". #lanned /. The BFA 1&&#+ including com$onents relating to the BFS is currently Ceing u$dated as a result of the 1&&# exerciseE com$letion is ex$ected Cy Se$temCer 1+ !00". ". Reco(ery $rocedures for BFS -ill next Ce tested during the BFA 1&&# exercise scheduled for 5ay !00:. $xample is! Assessment eport Appendix D, page 99 TaCle *% Security 1ontrols ?continued@ 1ontrol Area In>#laceH #lanned 'escri$tion of 1ontrols ! IT 1ontingency #lanning ?continued@ !.! IT 'isaster Reco(ery #lanning In $lace 1. A 'isaster Reco(ery #lan ?'R#@ for the BFS has Ceen documented I a$$ro(ed Cy the BFA 1ommissioner. This $lan calls for reco(ery of the BFS -ithin "! hours at a cold site maintained Cy -ith 'ata Reco(ery Ser(ices+ Inc. ?'RSI@ through a contract -ith 'RSI. In order to su$$ort !9>hour reco(ery of BFS during Cudget $re$aration+ the contract -ith 'RSI includes !9>hour reco(ery during this $eriod. !. Both "!> I !9>hour reco(ery of the BFS -ere tested during the BFA 1&&# exercise on 5ay 1:>!0+ !00"+ including access to the reco(ered BFS Cy users at other 1&V Agencies. 5emCers of the BFS 'isaster Reco(ery Team recei(ed training on their res$onsiCilities in ad(ance of the exercise. #lanned 1. The BFS 'R# is currently Ceing u$dated as a result of the reco(ery during the BFA 1&&# exerciseE com$letion is ex$ected Cy Se$temCer 1+ !00". !. Reco(ery of the BFS -ill next Ce tested during the BFA 1&&# exercise scheduled for 5ay !00:. !.) IT System I 'ata Backu$ I Restoration In $lace 1. A Backu$ I Restoration #lan for the BFS has Ceen documented+ I a$$ro(ed Cy ohn ames+ the BFS System &-ner. This $lan calls for% a. =eekly full I daily incremental Cacku$s I re(ie- of Cacku$ logs of BFS data Cy o$erations staffE C. =eekly $icku$ I trans$ort of BFS Cacku$ ta$es to 'RSI Cy 'RSI $ersonnelE I c. Restoration of BFS data either at BFA or at 'RSI only -ith the ex$ress -ritten a$$ro(al of ohn ames+ the BFS System &-ner or his designee. ) IT Systems Security ).1 IT System 6ardening In $lace 1. BFS o$erations staff has identified I documented the Solaris " I &racle ,i Cenchmarks from the 1enter for Internet Security ?1IS@ as a$$ro$riate hardening le(els for the BFS. ohn ames+ the BFS System &-ner+ has a$$ro(ed this recommendation in -riting. These Cenchmarks -ere most recently a$$lied to BFS in 5ay !00"+ I the a$$lication -as documented in the BFS 1hange 0og. !. BFS o$erations staff most recently re(ie-ed these Cenchmarks on une "+ !00"+ I determined that they continue to $ro(ide an a$$ro$riate hardening le(el for the BFS. Benchmarks are rea$$lied -hene(er the o$erating system or a$$lication soft-are is changed. #lanned ). #SI+ the BFA Cusiness $artner that o$erates the BFA technology en(ironment+ has engaged 1yCerscan+ Inc. to conduct a full (ulneraCility scan of the BFA technology en(ironment. This scan is scheduled for August !00". 9. Based on the results of the (ulneraCility scan+ BFS o$erations staff -ill determine -hether the 1IS Cenchmarks continue to $ro(ide a$$ro$riate $rotection for the BFS. $xample is! Assessment eport Appendix D, page 94 TaCle *% Security 1ontrols ?continued@ 1ontrol Area In>#laceH #lanned 'escri$tion of 1ontrols ) IT Systems Security ?continued@ ).! IT Systems Intero$eraCility Security In $lace 1. The BFS recei(es data only from the B1SE it does not transmit data to any other IT system. This data sharing is documented in Section !.! of this Risk Assessment+ I in the B1S Risk Assessment. ohn ames is System &-ner of Coth B1S I BFSE therefore no -ritten data sharing agreement is reAuired. Security of net-ork access is co(ered Cy a documented intero$eraCility security agreement Cet-een ohn ames+ BFS System &-ner+ I Bea RoCerts+ System &-ner of the #SI third>$arty net-ork. ).) 5alicious 1ode #rotection In $lace 1. BFA has t-o different anti>(irus soft-are $roducts installed on its deskto$ I la$to$ com$uters I on its e>mail ser(ers. This soft-are% a. *liminates or Auarantines all malicious $rograms that it detects I $ro(ides an alert to the user u$on detectionE C. Runs automatically on $o-er>on I runs -eekly full scans on memory I storage de(icesE c. Automatically scans all files retrie(ed from all sourcesE d. Allo-s only system administrators to modify its configurationE I e. 5aintains a log of $rotection acti(itiesE f. *liminates or Auarantines malicious $rograms in e>mail messages I file attachments as they attem$t to enter the AgencyGs e>mail system. !. Both deskto$Hla$to$ I e>mail anti>(irus soft-are are configured for automatic do-nload of definition files -hene(er ne- files Cecome a(ailaCle. #lanned ). The BFA Acce$taCle 3se #olicy+ under de(elo$ment+ -ill $rohiCit BFA users from intentionally de(elo$ing or ex$erimenting -ith malicious $rograms I kno-ingly $ro$agating malicious $rograms including o$ening attachments from unkno-n sources. This $olicy is scheduled for com$letion in August !00". ).9 IT Systems 'e(elo$ment 0ife 1ycle Security In $lace 1. The BFS is in the Im$lementation $hase of its life cycle. As documented throughout this Risk Assessment re$ort+ BFA conducts I documents a formal Risk Assessment of the BFS e(ery three years. In addition the BFS com$lies -ith all other Risk 5anagement reAuirements of the 1&V IT Security Standard. $xample is! Assessment eport Appendix D, page 9= TaCle *% Security 1ontrols ?continued@ 1ontrol Area In>#laceH #lanned 'escri$tion of 1ontrols 9 0ogical Access 1ontrol 9.1 Account 5anagement In $lace 'ocumented BFA I BFS $olicies reAuire% 1. <ranting access to IT system users Cased on the $rinci$le of least $ri(ilege. In the case of BFS+ ho-e(er+ enforcement of least $ri(ilege is accom$lished Cy granting ad>hoc access rights to BFS+ rather than granting access Cased on $redefined roles. !. A$$ro(al Cy ohn ames+ BFS System &-ner I a $ros$ecti(e BFS userGs su$er(isor Cefore granting access to BFSE these $olicies are enforced. ). #ros$ecti(e BFS users to recei(e a BFA>reAuired criminal Cackground check Cefore recei(ing access to BFSE these $olicies are enforced. 9. The use of $ass-ords on all BFS accounts+ I that these $ass-ords ex$ire e(ery ,0 days+ at a minimum. These $olicies are not enforced on BFS+ ho-e(er+ as $ass-ords are not set to ex$ire I $ass-ord changes are not enforced. .. Annual re(ie- of all BFS accounts to assess the continued need for the accounts I access le(el. These $olicies also reAuire automatic locking of accounts if not used for )0 days+ disaCling of unneeded accounts+ retention of account information for ! years in accordance -ith BFA records retention $olicy+ I notification of su$er(isors+ 6uman Resources+ I the System Administrator aCout changes in the need for BFS accounts. These $olicies are not enforced on BFS+ ho-e(er+ I BFS user accounts are not remo(ed -hen the access is no longer reAuired. /. #rohiCit the use of grou$ accounts I shared $ass-ords. These $olicies are not enforced on BFS+ ho-e(er+ as accounts such as Kguest+L Ktest+L I KshareL exist in the BFS user dataCase. ". ohn ames to a$$ro(e access changes to BFS accounts+ I for ohn ames I the BFS o$erations I su$$ort team to in(estigate unusual account access. These $olicies are enforced. 9.! #ass-ord 5anagement In $lace 'ocumented BFA I BFS $olicies reAuire% 1. The use of $ass-ords on sensiti(e systems such as BFSE these $olicies are enforced on BFS. These $olicies also reAuire that+ at a minimum+ $ass-ords Ce no less than eight characters long I contain Coth letters I numCersE =indo-s Acti(e 'irectory is configured to reAuire this length I com$lexity for BFS $ass-ords. !. *ncry$tion of $ass-ords during transmissionE $ass-ord encry$tion+ ho-e(er+ is not correctly configured for BFS I BFS $ass-ords are transmitted in clear text. ). 3sers to maintain exclusi(e control of their $ass-ords+ to allo- users to change their $ass-ords at -ill+ I to change a $ass-ord immediately I notify the IS& if the $ass-ord is com$romisedE these $olicies are enforced. 9. BFS users to change $ass-ords e(ery ,0 days at a minimumE as noted aCo(e+ ho-e(er+ these $olicies are not enforced -ith res$ect to BFS. .. The use of $ass-ord history files to $resent $ass-ord re>useE these $olicies are enforced on BFS I BFS retains the $re(ious !90 $ass-ords for each user to $re(ent their re>use. $xample is! Assessment eport Appendix D, page 9& TaCle *% Security 1ontrols ?continued@ 1ontrol Area In>#laceH #lanned 'escri$tion of 1ontrols 9 0ogical Access 1ontrol ?continued@ 9.! #ass-ord 5anagement ?continued@ In $lace 'ocumented BFA I BFS $olicies reAuire% ". 3se of a $rocedure for deli(ery of the initial BFS $ass-ord in $erson from the BFS su$$ort team in a sealed en(elo$e. The $ass-ord is ex$ired+ I the user is forced to change the $ass-ord u$on first login. Forgotten initial $ass-ords are re$laced Cy the BFS su$$ort team I not re>issued. :. #rohiCit the use of grou$ accounts I shared $ass-ords. These $olicies are not enforced on BFS+ ho-e(er+ as accounts such as Kguest+L Ktest+L I KshareL exist in the BFS user dataCase. ,. #rohiCit the inclusion of $ass-ords as $lain text in scri$ts. These $olicies are not enforced on BFS+ ho-e(er+ as $ass-ords are included in scri$ts I initialiDation files. 10. 0imit access to files containing BFS $ass-ords to the BFS su$$ort team. These $olicies are enforced. 11. Su$$ression of $ass-ords on the screen as they are entered. These $olicies are enforced. 1!. 5emCers of the BFS su$$ort team to ha(e Coth an administrati(e I user account I use the administrati(e account only -hen $erforming tasks that reAuire administrati(e $ri(ileges. These $olicies are enforced. 1). At least t-o memCers of the BFS su$$ort team to ha(e BFS administrati(e account. 9.) Remote Access In $lace 1. Based on the sensiti(ity of BFS data+ documented BFA I BFS $olicies reAuire that remote access to BFS not Ce $ermitted from outside the #SI>$ro(ided third>$arty net-ork. Remote &S authentication+ ho-e(er+ is enaCled in the BFS a$$lication+ e(en though no user accounts are configured to allo- this access. #lanned !. To enaCle alternate -ork schedules+ I -ork locations+ BFA is in the $rocess of de(elo$ing a $lan to allo- secure remote access to BFS. This $lan is scheduled for com$letion in &ctoCer !00". . 'ata #rotection ..1 'ata Storage 5edia #rotection In $lace 'ocumented BFA I BFS $olicies reAuire% 1. Bea RoCerts+ as BFS 'ata 1ustodian+ to $ro(ide $rotection of all sensiti(e BFS data. These reAuirements are enforced a -ritten agreement Cet-een BFA I#artner Ser(ices+ Inc. !. Sensiti(e BFS data not to Ce stored on moCile data storage media through BFA $olicy that $rohiCits local storage of BFS data. This $olicy is not enforced+ ho-e(er+ as sensiti(e BFS data is stored on 3SB dri(es. ). &nly authoriDed 'RSI $ersonnel to $icku$+ recei(e+ transfer+ I deli(er BFS ta$es. This $olicy is enforced. 9. BFS administrators I users to follo- the ITR5 Remo(al of 1ommon-ealth 'ata from Sur$lus 1om$uter 6ard 'ri(es I *lectronic 5edia Standard ?ITR5 Standard S*1!00)>0!.1@ -hen dis$osing of BFS data storage media that are no longer needed. This $olicy is enforced. .. BFS users to recei(e training on the $ro$er $rocedure for dis$osal of data storage media containing sensiti(e data as $art of the BFA IT Security A-areness I Training $rogram. This $olicy is enforced. $xample is! Assessment eport Appendix D, page 96 TaCle *% Security 1ontrols ?continued@ . 'ata #rotection ?continued@ ..! *ncry$tion In $lace BFS uses encry$tion (ia% 1. The secure shell ?ssh@ I secure co$y ?sc$@ $rotocols+ -hich are in -ide commercial use. This use is documented in BFS design documents. !. The 1R'S8 hard disk encry$tion $roduct+ as documented in BFA I BFS $olicies. ). *ncry$tion of $ass-ords during transmission. As noted aCo(e+ ho-e(er+ this feature is incorrectly configured for BFSE BFS $ass-ords are transmitted in clear text. #lanned 9. BFA is currently documenting Agency $olicies+ standards+ I $rocedures for encry$tion technologies. 1om$letion of this documentation is $lanned Cy &ctoCer 1+ !00". / Facilities Security /.1 Facilities Security In $lace 1. The BFS is housed in the BFA 'ata 1enter -ith access controlled (ia a Secure card>key access system+ administered Cy the BFA IR5 staff+ -hich $ermits monitoring+ logging+ I auditing of all access to the BFA 'ata 1enter. ane ones+ BFA IS& a$$ro(es all reAuests for BFA 'ata 1enter Access reAuests Cased on the $rinci$le of least $ri(ilege. !. The BFA 'ata 1enter is heated I cooled Cy a ,0>ton 6VA1 unit+ se$arate from the 6VA1 unit that heats I cools the remainder of the facility. *lectric $o-er to the BFA 'ata 1enter is $ro(ided Cy four RiCtell 900 8(a units connected to the commercial $o-er su$$ly. Backu$ $o-er is $ro(ided Cy a diesel>$o-ered generator. ). Fire su$$ression in the BFA 'ata 1enter is $ro(ided Cy a -et>$i$e s$rinkler system. BFA is a-are that this fire su$$ression system $oses a risk of significant -ater damage to eAui$ment in the data center+ including BFS. Re$lacement of the -et>$i$e s$rinkler system+ ho-e(er+ has Ceen considered I is cost>$rohiCiti(e. 9. Access to the BFA facility at 1!) *lm St. is also $rotected Cy the Secure card>key access system+ administered Cy the BFA IR5 staff. 1ards that $ermit access to the facility are gi(en only to BFA em$loyees I contractors u$on su$er(isory a$$ro(al. All (isitors are reAuired to ha(e escorts in the BFA facility. .. Access to other areas in the BFA facility that house IT resources is controlled (ia means of ci$her locks+ also administered Cy the BFA IR5 staff+ -hich changes the lock ci$hers e(ery ,0 days. ane ones+ BFA IS& a$$ro(es all reAuests for access to the lock ci$her Cased on the rule of least $ri(ilege. $xample is! Assessment eport Appendix D, page 9B TaCle *% Security 1ontrols ?continued@ " #ersonnel Security ".1 Access 'etermination I 1ontrol In $lace 1. BFS users recei(e a BFA>reAuired finger$rint criminal Cackground check I a credit check Cefore recei(ing access to BFS. !. Access to the BFA facility I the BFA 'ata 1enter that houses the BFS is controlled Cy card>key access. ). AdeAuate se$aration of duties exists for BFS in order to guard against the $ossiCility of fraud. 'ocumented BFA I BFS $olicies reAuire% 9. The remo(al of $hysical I logical access rights u$on transfer or termination of staff or -hen the need for access no longer exists. These $olicies are enforced -ith res$ect to $hysical accessE as noted aCo(e+ they are not enforced regarding logical access to BFS. .. Return of Agency assets u$on transfer or termination. These $olicies are enforced. /. <ranting access to IT system users Cased on the $rinci$le of least $ri(ilege. These $olicies are enforced -ith res$ect to $hysical access. In the case of BFS+ ho-e(er+ enforcement of least $ri(ilege is accom$lished Cy granting ad>hoc access rights to BFS+ rather than granting access Cased on $redefined roles. ".! IT Security A-areness I Training In $lace 1. ane ones+ BFA IS&+ is res$onsiCle for BFAGs IT security a-areness I training $rogram. BFA reAuires+ through documented $olicies I $rocedures+ that all em$loyees I contractors com$lete an on>line IT security training $rogram on an annual Casis. The online training $rogram+ -hich has Ceen customiDed Cy the (endor to BFAGs s$ecifications+ Coth records com$letion I for-ards records of com$letion to the BFA IS&. The online training $rogram co(ers% a. BFA $olicies for $rotecting IT systems I data+ -ith a $articular em$hasis on sensiti(e systems I dataE C. The conce$t of se$aration of dutiesE c. *m$loyee res$onsiCilities in continuity of o$erations+ configuration management+ I incident detection I re$ortingE d. IT system user res$onsiCilities I Cest $ractices in% 1. #re(ention+ detection+ I eradication of malicious codeE !. #ro$er dis$osal of data storage mediaE I ). #ro$er use of encry$tion $roductsE e. Access controls+ including creating I changing $ass-ords I the need to kee$ them confidentialE f. BFA Remote Access $oliciesE I g. Intellectual $ro$erty rights+ including soft-are licensing I co$yright issues. !. BFA em$loyees I contractors are reAuired to acce$t BFA IT security $olicies Cy com$leting an online agreement during the online IT security training. ). 5emCers of the BFS su$$ort team+ BFA 'R I Incident Res$onse ?IR@ team memCers+ I IR5 staff are reAuired to com$lete the eAui(alent of 90 contact hours or ).0 1*3s of s$ecialiDed IT security training related to their roles+ though documented BFA $olicy+ -hich is enforced. 9. BFA $olicy reAuires that all em$loyees I contractors com$lete reAuired Casic IT security training -ithin t-o -eeks of Ceginning -ork at BFAE this $olicy is enforced. $xample is! Assessment eport Appendix D, page 93 TaCle *% Security 1ontrols ?continued@ " #ersonnel Security ?continued@ ".) Acce$taCle 3se In $lace 1. BFA has elected to use the Virginia 'e$artment of 6uman Resource 5anagement #olicy 1.". M 3se of Internet I *lectronic 1ommunication Systems as its Acce$taCle 3se $olicy. BFA em$loyees I contractors are reAuired to agree to this $olicy Cy com$leting an online agreement at the conclusion of online IT security training. #lanned !. BFA is in the $rocess of de(elo$ing its o-n Acce$taCle 3se $olicy. 1om$letion is ex$ected in 'ecemCer !00". : Threat 5anagement :.1 Threat 'etection In $lace ane ones+ BFA IS& is res$onsiCle for BFAGs threat detection $rogram+ -hich includes the follo-ing com$onents% 1. BFA IR5 staff recei(e threat detection training annually as their ad(anced IT security training. !. #SI has de$loyed I monitors Intrusion 'etection Systems ?I'S@ I Intrusion #re(ention Systems ?I#S@ are in the BFA en(ironment. ). #SI security staff maintains regular communication -ith 3S> 1*RT I other security research I coordination organiDations+ re(ie- I'S I I#S logs in real>time+ I recommend a$$ro$riate measures to BFA. :.! Incident 6andling In $lace BFA has documented I enforces% 1. An Incident Res$onse Team that includes the BFA IS&+ BFA IR5 staff+ I #SI su$$ort I security staff. !. A $rotocol to use IT Security Audits+ Risk Assessments+ I $ost> incident re(ie- to identify a$$ro$riate measures to defend against I res$ond to cyCer attacks. ). #roacti(e measures to $re(ent cyCer attacks in res$onse to recommendations from the #SI security staff. 9. Internal BFA incident in(estigation+ re$orting+ I recording $rocesses. #SI has documented I enforces on BFAGs Cehalf% .. #roacti(e measures to $re(ent cyCer attacks in res$onse to recommendations from the #SI security staff. /. Incident categoriDation I $rioritiDation criteria+ along -ith $rocedures to res$ond to each le(el of attack. ". A re$orting $rocess for re$orting IT security incidents in accordance -ith N!.!>/0)?F@ of the 1ode of Virginia+ including re$orting IT security incidents only through channels that ha(e not Ceen com$romised. :.) Security 5onitoring I 0ogging In $lace BFA has documented designation of #SI security staff as res$onsiCle for% 1. 'e(elo$ment of logging ca$aCilities I re(ie- $rocedures for BFA as a -hole+ as -ell as for the BFS. !. *naCling logging on all BFS com$onents I retention of logs for ,0 days. ). 5onitoring BFS security logs in real time I alerts the BFS su$$ort team I BFA IR5 staff Cy $ager -hen sus$icious acti(ity occurs. $xample is! Assessment eport Appendix D, page 9A TaCle *% Security 1ontrols ?continued@ , IT Asset 5anagement ,.1 IT Asset 1ontrol In $lace 'ocumented I enforced BFA I BFS $olicies reAuire% 1. 2o BFA IT assets to Ce remo(ed from BFA $remises+ exce$t for la$to$ com$uters assigned to indi(idual BFA em$loyees. !. 2o IT assets not o-ned Cy BFA to Ce connected to any BFA system or net-ork. ). Remo(al of data from BFA IT assets $rior to dis$osal in accordance -ith the 1&V Remo(al of 1ommon-ealth 'ata from Sur$lus 1om$uter 6ard 'ri(es I *lectronic 5edia Standard ?ITR5 Standard S*1!00)>0!.1@. ,.! Soft-are 0icense 5anagement In $lace 1. 'ocumented BFA $olicies reAuire the use of only BFA>a$$ro(ed soft-are on its IT systems I reAuire annual re(ie-s of -hether all soft-are is used in accordance -ith license reAuirements. !. All BFS soft-are is a$$ro$riately licensed. ,.) 1onfiguration 5anagement I 1hange 1ontrol In $lace 1. BFA has document configuration management I change control $olicies adeAuate so that changes to the IT en(ironment do not introduce additional IT security risk. BFA enforces these $olicies -ith res$ect to the BFS. $xample is! Assessment eport Identify the security controls for each ris! identified in Table D abo+e* Associate the ris!s .ith the rele+ant controls in a is!s(%ontrols table (Table ;), as belo.* This correlation determines .hether controls exist that respond ade8uately to the identified ris!s* Indicate .here controls are not in place or .here they appear not to ha+e been implemented effecti+ely* Also indicate any factors that mitigate or exacerbate the absence of effecti+e controls* TaCle F correlates the risks to the BFS identified in TaCle ' -ith rele(ant BFS IT security controls documented in TaCle * and -ith other mitigating or exacerCating factors. Appendix D, page 4' TaCle F% Risks>1ontrols>Factors 1orrelation Risk 2o. Risk Summary 1orrelation of Rele(ant 1ontrols I &ther Factors 1 Fire -ould acti(ate s$rinkler system causing -ater damage I com$ro> mising the a(ailaCility of BFS. There are no controls rele(ant to this riskE neither are there any mitigating or exacerCating factors. BFA *xecuti(e 5anagement has acce$ted this risk. ! 3nauthoriDed use of unneeded user I's could com$romise confidentiality I integrity of BFS data. 1ontrols 9.1.. and ".1.9 are in $lace for closing unneeded and unused user accounts+ Cut are not enforced. A mitigating factor is that the risk de$ends on a gaining access to the client a$$lication. #hysical access to the Cuilding+ -orkstation areas+ I net-ork are adeAuately $rotected. ) 3nauthoriDed access (ia ad>hoc $ri(ileges could com$romise of confidentiality I integrity of BFS data. 1ontrols 9.1.1 and ".1./ reAuire users to recei(e the minimum access rights needed to $erform BoC functions. These controls are in $lace on an ad>hoc Casis rather than Cased on roles+ as reAuired Cy $olicy. 9 'enial of ser(ice attack (ia large Cogus $ackets sent to $ort 1.!1 could render BFS una(ailaCle for use. 1ontrol :.!.1 $ro(ides intrusion detection sufficient to detect such an attack. 2o Intrusion #re(ention System ?I#S@ is in $lace+ ho-e(er+ to $re(ent such an attack. . *x$loitation of un$atched a$$lication security fla-s could com$romise confidentiality I integrity of BFS data. 1ontrol :.1.) reAuires that ad(isories I critical $atch releases should Ce monitored. These $rocedures are not follo-ed consistently. A mitigating factor is that occurrence of the risk de$ends on gaining access to the internal Agency net-ork. A BFA fire-all $rotects the Internet connection I a 'ata 1enter fire-all $rotects the 'ata 1enter net-ork. In addition+ dial>in access is limited I strictly controlled. Internal users still $ose a significant threat. $xample is! Assessment eport After preparing the table, enter the controls data in $xhibit ) (this data entry can be accomplished by cutting and pasting from Table ;* Appendix D, page 4) TaCle F% Risks>1ontrols 1orrelation ?continued@ Risk 2o. Risk Analysis of Rele(ant 1ontrols I &ther Factors / *x$loitation of $ass-ords in scri$t I initialiDation files could result in com$romise of confidentiality I integrity of BFS data. 1ontrol 9.!., reAuires that clear text $ass-ords must not exist in scri$ts or text files on any system+ Cut is not enforced for BFS. The use of clear text $ass-ords is an inherent -eakness in the client soft-are+ I there is no fix according to the (endor. #hysical $rotections are in $lace to limit access to the Cuilding I user -orkstation areas+ I technical controls are in $lace to limit access to user -orkstations to those indi(iduals -ho ha(e Ceen granted $ermission to logon to Agency systems. " 1om$romise of unex$iredHunchanged $ass-ords could result in com$romise of confidentiality I integrity of BFS data. 1ontrols 9.1.9 and 9.!.9 reAuire regular $ass-ord changes+ Cut are not enforced for BFS. Su$$ort for reAuired $ass-ord changes is Cuilt into the soft-are Cut ha(e not Ceen enaCled. : 3se of generic BFS accounts could result in com$romise of confidentiality I integrity of sensiti(e BFS data. 1ontrols 9.1./ and 9.!.: reAuire that shared accounts such as these not Ce used Cut ha(e not enforced for BFS. , Remote access is not currently used Cy BFSE enaCling this access -hen not necessary could result in com$romise of confidentiality I integrity of sensiti(e BFS data. 1ontrol 9.).1 $rohiCits access to BFS from outside the #SI third>$arty net-orkE enaCling remote access in the soft-are (iolates this control. A mitigating factor is that only authoriDed users could access the a$$lication. This mitigating effect of this factor is reduced Cy the unused accounts that continue to exist on BFS. 10 3nencry$ted $ass-ords could Ce com$romised+ resulting in com$romise of confidentiality I integrity of sensiti(e BFS data. 1ontrols 9.!., and 9...) reAuire encry$tion of $ass-ords+ Cut ha(e not Ceen enforced for BFS. #hysical security $rotections are in $lace that -ould limit the aCility to sniff the net-ork to ex$loit this (ulneraCility. 11 0oss or theft of 3SB dri(es could result in com$romise of confidentiality of BFS data. 1ontrol 9.9.! $rohiCits storage of sensiti(e BFS data on $ortaCle media such as 3SB dri(es+ Cut has not Ceen enforced for BFS. $xample is! Assessment eport ( RI'8 LI8ELIHOO% %ETERMINATION The purpose of this step is to assign a li!elihood rating of high, moderate or lo. to each ris! identified in Table D* This rating is a sub-ecti+e -udgment based on the li!elihood a +ulnerability might be exploited by a credible threat* The follo.ing factors should be considered7 Threat(source moti+ation and capability, in the case of human threats> 2robability of the threat occurring, based on statistical data or pre+ious experience, in the case of natural and en+ironmental threats> and $xistence and effecti+eness of current or planned controls . Risk 0ikelihood 'etermination TaCle < defines the Risk 0ikelihood ratings for the BFS. /ther factors may also be used to estimate likelihood. These include historical information, records and information from security or"ani3ations such as 6S,7.RT and other sources. The controls listed in Table . may be considered, $roided they ade5uately miti"ate the risk. A"encies are stron"ly encoura"ed to use risk likelihood definitions of hi"h, moderate, and low, as documented in Table ). TaCle 6+ -hich Cegins on the next $age+ e(aluates the effecti(eness of controls and the $roCaCility or moti(ation and ca$aCility of each threat to BFS and assigns a likelihood+ as defined in TaCle <+ to each BFS risk documented in TaCle '. Appendix D, page 49 TaCle <% Risk 0ikelihood 'efinitions *ffecti(eness of 1ontrols #roCaCility of Threat &ccurrence ?2atural or *n(ironmental Threats@ or Threat 5oti(ation and 1a$aCility ?6uman Threats@ 0o- 5oderate 6igh 6igh 0o- 0o- 5oderate 5oderate 0o- 5oderate 6igh 0o- 5oderate 6igh 6igh $xample is! Assessment eport Appendix D, page 44 TaCle 6% Risk 0ikelihood Ratings Risk 2o. Risk Summary Risk 0ikelihood *(aluation Risk 0ikelihood Rating 1 Fire -ould acti(ate s$rinkler system causing -ater damage I com$romising the a(ailaCility of BFS. There are no controls against -ater damage to BFS from the -et>$i$e s$rinkler system in the e(ent of a fire+ so the effecti(eness of controls is lo-. The likelihood of fire in the BFA 'ata 1enter is lo-. 5oderate ! 3nauthoriDed use of unneeded user I's could com$romise confidentiality I integrity of BFS data. *ffecti(eness of controls for closing user accounts is lo-+ as unneeded user I's exist on BFS. Threat source ca$aCility is also lo- as the risk is de$endent on learning a user I' I $ass-ord I gaining access to the client a$$lication. There a$$ear to Ce adeAuate $rotections against this risk. #hysical access to the Cuilding+ -orkstation areas+ I net-ork are adeAuately $rotected. 5oderate ) 3nauthoriDed access (ia ad>hoc $ri(ileges could com$romise of confidentiality I integrity of BFS data. *ffecti(eness of controls to limit users to minimum access rights is moderate. #olicies no- in $lace enaCle these controls Cut on an ad> hoc Casis rather than Cased on roles+ as reAuired Cy $olicy. Threat source ca$aCility and moti(ation is rated moderate as only authoriDed users could cause this risk. 5oderate 9 'enial of ser(ice attack (ia large Cogus $ackets sent to $ort 1.!1 could render BFS una(ailaCle for use. 2o controls are in $lace to $re(ent such an attack+ so control effecti(eness is lo-. Threat source ca$aCility and moti(ation is rated moderate as re-ard from attacking BFS in this manner is limited. 5oderate . *x$loitation of un$atched a$$lication security fla-s could com$romise confidentiality I integrity of BFS data. *ffecti(eness of controls to reAuire timely a$$lication of $atches to BFS is lo- as $rocedures for a$$lying such $atches are not follo-ed consistently. Threat source moti(ation and ca$aCility is rated as lo- as occurrence of the risk de$ends on an unauthoriDed userGs gaining access to the internal Agency net-ork. There is an Agency fire-all $rotecting the Internet connection I a 'ata 1enter fire-all $rotecting the 'ata 1enter net-ork. Additionally+ dial>in access is limited I strictly controlled. 5oderate $xample is! Assessment eport Appendix D, page 4= TaCle 6% Risk 0ikelihood Ratings ?continued@ Risk 2o. Risk Summary Risk 0ikelihood *(aluation Risk 0ikelihood Rating / *x$loitation of $ass-ords in scri$t I initialiDation files could result in com$romise of confi> dentiality I integrity of BFS data. *ffecti(eness of controls $rohiCiting use of clear text $ass-ords in scri$ts or text files is lo- as the use of clear text $ass-ords is an inherent -eakness in the client soft-are. Threat source ca$aCility is rated lo-+ as $hysical $rotections are in $lace to limit access to the Cuilding I user -orkstation areas+ I technical controls are in $lace to limit access to user -orkstations to those indi(iduals -ho ha(e Ceen granted $ermission to logon to Agency systems. 5oderate " 1om$romise of unex$iredHunchanged $ass-ords could result in com$romise of confidentiality I integrity of BFS data. *ffecti(eness of controls reAuiring regular $ass-ord changes is lo-E these changes are not reAuired. Threat source ca$aCility is rated lo- as the risk de$ends on learning a user I' I $ass-ord I gaining access to the client a$$lication. 5oderate : 3se of generic BFS accounts could result in com$romise of confidentiality I integrity of sensiti(e BFS data. *ffecti(eness of controls that $rohiCit shared accounts such as these is lo-. Threat ca$aCility is high as user I's for generic accounts such as these are -ell> kno-n. 6igh , Remote access is not currently used Cy BFSE enaCling this access -hen not necessary could result in com$romise of confidentiality I integrity of sensiti(e BFS data. *ffecti(eness of controls reAuiring that remote access is enaCled only -here authoriDed and reAuired is lo-+ as these controls ha(e not Ceen follo-ed. Threat source ca$aCility is moderate Cecause of the unused accounts that exist on BFS. 6igh 10 3nencry$ted $ass-ords could Ce com$romised+ resulting in com$romise of confidentiality I integrity of sensiti(e BFS data. *ffecti(eness of controls reAuiring encry$tion of $ass-ords is lo-+ as these controls ha(e not Ceen follo-ed. Threat source ca$aCility is lo- as $hysical security $rotections are in $lace that -ould limit the aCility to sniff the net-ork to ex$loit this (ulneraCility. 5oderate 11 0oss or theft of 3SB dri(es could result in com$romise of confidentiality of BFS data. *ffecti(eness of controls $rohiCiting storage of sensiti(e data on 3SB dri(es is lo-+ as these controls ha(e not Ceen follo-ed. Threat source ca$aCility is high as such 3SB dri(es are freAuently lost or stolen. 6igh $xample is! Assessment eport * RI'8 IM2ACT ANAL;'I' The purpose of this step is to assign an impact rating of high, moderate or lo. to each ris! identified in Table D* The impact rating is determined based on the se+erity of the ad+erse impact that .ould result from an occurrence of the ris!* Agencies are urged to assign ratings based on the impact to the %/V as a .hole* / Risk Im$act Analysis TaCle I documents the ratings used to e(aluate the im$act of BFS risks on the 1&V and BFA. Table I pro+ides definitions of the impact ratings that agencies are strongly encouraged to use* Include the impact ratings used in the is! Assessment eport* 8hen determinin" the im$act ratin" the followin" "oernin" factors should be considered9 The business $rocess $erformed by the IT system. System and data sensitiity !i.e., the leel of $rotection re5uired to maintain system and data inte"rity, confidentiality, and aailability#. Im$act can also be based on ability to $roide serice to the $ublic. An aderse im$act mi"ht be a loss of confidentiality, inte"rity, or aailability, or a loss of $ublic trust in 7/:. +actors to consider are the loss or inconenience the $ublic would suffer if the risk were to occur. This information can usually be obtained from the A"ency;s %usiness Im$act Analysis !%IA#. Apply the impact definitions in Table ? to the ris!s identified in Table D to e+aluate the effect if the ris! occurs* TaCle documents the results of the im$act analysis for BFS+ including the estimated im$act for each risk identified in TaCle ' and the im$act rating assigned to the risk. Appendix D, page 4& TaCle I% Risk Im$act Rating 'efinitions 5agnitude of Im$act Im$act 'efinition 6igh &ccurrence of the risk% ?1@ may result in human death or serious inBuryE ?!@ may result in the loss of maBor 1&V tangiCle assets+ resources or sensiti(e dataE or ?)@ may significantly harm+ or im$ede the 1&VGs mission+ re$utation+ or interest. 5oderate &ccurrence of the risk% ?1@ may result in human inBuryE ?!@ may result in the costly loss of 1&V tangiCle assets or resourcesE or ?)@ may (iolate+ harm+ or im$ede the 1&VGs mission+ re$utation+ or interest. 0o- &ccurrence of the risk% ?1@ may result in the loss of some tangiCle 1&V assets or resources or ?!@ may noticeaCly affect the 1&VGs mission+ re$utation+ or interest. $xample is! Assessment eport Appendix D, page 46 TaCle % Risk Im$act Analysis Risk 2o. Risk Summary Risk Im$act Risk Im$act Rating 1 Fire -ould acti(ate s$rinkler system causing -ater damage I com$romising the a(ailaCility of BFS. BFS una(ailaCle for use. 6igh ! 3nauthoriDed use of unneeded user I's could com$romise confidentiality I integrity of BFS data. 3nauthoriDed disclosure or modification of BFS data. 6igh ) 3nauthoriDed access (ia ad>hoc $ri(ileges could com$romise of confidentiality I integrity of BFS data. 3nauthoriDed disclosure or modification of BFS data. 6igh 9 'enial of ser(ice attack (ia large Cogus $ackets sent to $ort 1.!1 could render BFS una(ailaCle for use. BFS una(ailaCle for use 6igh . *x$loitation of un>$atched a$$lication security fla-s could com$romise confidentiality I integrity of BFS data. 3nauthoriDed disclosure or modification of BFS data. 6igh / *x$loitation of $ass-ords in scri$t I initialiDation files could result in com$romise of confi> dentiality I integrity of BFS data. 3nauthoriDed disclosure or modification of BFS data. 6igh " 1om$romise of unex$iredH unchanged $ass-ords could result in com$romise of confiden> tiality I integrity of BFS data. 3nauthoriDed disclosure or modification of BFS data. 6igh : Remote access is not currently used Cy BFSE enaCling this access -hen not necessary could result in com$romise of confidentiality I integrity of sensiti(e BFS data. 3nauthoriDed disclosure or modification of BFS data. 6igh , Remote access is not currently used Cy BFSE enaCling this access -hen not necessary could result in com$romise of confidentiality I integrity of sensiti(e BFS data. 3nauthoriDed disclosure or modification of BFS data. 6igh 10 3nencry$ted $ass-ords could Ce com$romised+ resulting in com$romise of confidentiality I integrity of sensiti(e BFS data. 3nauthoriDed disclosure or modification of BFS data. 6igh 11 0oss or theft of 3SB dri(es could result in com$romise of confidentiality of BFS data. 3nauthoriDed disclosure of BFS data. 6igh $xample is! Assessment eport Assign an impact rating to each ris! identified in Table D* $nter the data in $xhibit A* This data entry can be accomplished by cutting and pasting from Table I* This section contains the results of an im$act analysis $erformed for the BFS. To $erform this analysis+ an im$act rating of lo-+ moderate+ or high -as assigned to each risk identified in TaCle '. The im$act rating for each risk -as determined Cased on the se(erity of the ad(erse im$act that -ould result from a successful ex$loitation of the (ulneraCility. The im$act ratings in this section for each indi(idual risk -ere Cased on the systemGs mission+ and system and data sensiti(ity. BFAGs most recent Business Im$act Analysis ?BIA@ -as re(ie-ed in determining the ratings. Appendix D, page 4B $xample is! Assessment eport > OVERALL RI'8 %ETERMINATION The purpose of this step is to calculate an o+erall ris! rating of high, moderate or lo. for each ris! identified in Table D* The ris! rating must be based on both the li!elihood of the ris! occurring and on the impact to the %/V should the ris! occur* " &(erall Risk 'etermination The determination of risk ratin"s is somewhat sub*ectie. Their alue is in the attem$t to 5uantify, howeer sub*ectiely, the combination of likelihood and im$act of occurrence. .ach risk ratin" is ex$ressed as the correlation of the "ien risk;s likelihood of occurrence, and the risk<s res$ectie im$act ratin". The resultin" risk ratin"s will $lace the arious risk on a scale !e."., 1 to 122#, thus enablin" mana"ers to rank the risks 5uantitatiely in order of seerity and $riority. +or exam$le9 .ach risk likelihood ratin" assi"ned in Table -, may be assi"ned a numerical alue of 2.1 for low, 2.1 for moderate, or 1.2 for hi"h to re$resent the $robability of occurrence !i.e., 2.1 to 1.2#. .ach risk im$act ratin" assi"ned Table I, may be assi"ned a numerical alue of 12 for low, 12 for moderate, or 122 for hi"h to re$resent a 5uantified im$act estimate !i.e., 12 to 122#. 7alculate the oerall risk ratin"s for each risk by multi$lyin" the numerical ratin"s assi"ned for likelihood and im$act. +or a thorou"h descri$tion of the risk ratin" calculation, refer to the annotated NIST SP =22,&2, Table &,>, ?Risk Scale and Necessary Actions.@ Table F, ta!en from 1IST S2 3''(4', is an example of a ris!(rating matrix sho.ing ho. the o+erall ris! ratings for a 4x4 matrix (i*e*, high, moderate and lo. li!elihood by lo., moderate and high impact) are to be deri+ed* If your agency re8uires more granular ris! ratings, a larger matrix (e*g*, =x=, 4x&) may be used* TaCle 8 documents the criteria used in determining o(erall risk ratings for the BFS. Appendix D, page 43 $xample is! Assessment eport Assign a ris! rating to each ris! listed in Table D* $nter the ris! ratings in $xhibit A* This data entry can be accomplished by cutting and pasting from Table G* TaCle 0 assigns risk ratings from TaCle 8 to the risks identified for the BFS. Appendix D, page 4A TaCle 8% &(erall Risk Rating 5atrix Risk 0ikelihood Risk Im$act 0o- ?10@ 5oderate ?.0@ 6igh ?100@ 6igh ?1.0@ 0o- 10 x 1.0 O 10 5oderate .0 x 1.0 O .0 6igh 100 x 1.0 O 100 5oderate ?0..@ 0o- 10 x 0.. O . 5oderate .0 x 0.. O !. 5oderate 100 x 0.. O .0 0o- ?0.1@ 0o- 10 x 0.1 O 1 0o- .0 x 0.1 O . 0o- 100 x 0.1 O 10 Risk Scale% 0o- ?1 to 10@E 5oderate ?J10 to .0@E 6igh ?J.0 to 100@ TaCle 0% &(erall Risk Ratings TaCle Risk 2o. Risk Summary Risk 0ikelihood Rating Risk Im$act Rating &(erall Risk Rating 1 Fire -ould acti(ate s$rinkler system causing -ater damage I com$romising the a(ailaCil> ity of BFS. 5oderate 6igh 5oderate ! 3nauthoriDed use of unneeded user I's could com$romise confidentiality I integrity of BFS data. 5oderate 6igh 5oderate ) 3nauthoriDed access (ia ad> hoc $ri(ileges could com$romise of confidentiality I integrity of BFS data. 5oderate 6igh 5oderate 9 'enial of ser(ice attack (ia large Cogus $ackets sent to $ort 1.!1 could render BFS una(ailaCle for use. 5oderate 6igh 5oderate . *x$loitation of un>$atched a$$lication security fla-s could com$romise confidentiality I integrity of BFS data. 5oderate 6igh 5oderate / *x$loitation of $ass-ords in scri$t I initialiDation files could result in com$romise of confidentiality I integrity of BFS data. 5oderate 6igh 5oderate $xample is! Assessment eport Describe the process used in assigning o+erall ris! ratings* This section contains the results of a risk determination $erformed for the Budget Formulation System. A risk rating of lo-+ moderate+ or high -as assigned to each risk identified in TaCle '. The risk rating for each indi(idual risk -as calculated using guidance $ro(ided in 2IST S# :00>)0+ TaCle )>/+ KRisk Scale and 2ecessary Actions.L Appendix D, page =' TaCle 0% Risk Ratings TaCle ?continued@ Risk 2o. Risk Summary Risk 0ikelihood Rating Risk Im$act Rating &(erall Risk Rating " 1om$romise of unex$iredHunchanged $ass-ords could result in com$romise of confidentiality I integrity of BFS data. 5oderate 6igh 5oderate : 3se of generic BFS accounts could result in com$romise of confidentiality I integrity of sensiti(e BFS data. 6igh 6igh 6igh , Remote access is not currently used Cy BFSE enaCling this access -hen not necessary could result in com$romise of confidentiality I integrity of sensiti(e BFS data. 6igh 6igh 6igh 10 3nencry$ted $ass-ords could Ce com$romised+ resulting in com$romise of confidentiality I integrity of sensiti(e BFS data. 5oderate 6igh 5oderate 11 0oss or theft of 3SB dri(es could result in com$romise of confidentiality of BFS data. 6igh 6igh 6igh $xample is! Assessment eport ? RECOMMEN%ATION' The purpose of this step is to recommend additional actions re8uired to respond to the identified ris!s, as appropriate to the agency0s operations* The goal of the recommended ris! response is to reduce the residual ris! to the system and its data to an acceptable le+el* The follo.ing factors should be considered in recommending controls and alternati+e solutions to minimi,e or eliminate identified ris!s7 $ffecti+eness of recommended options (e*g*, system compatibility) @egislation and regulation /rgani,ational policy /perational impact Safety and reliability : Recommendations TaCle 5 documents recommendations for the risks identified for the BFS system. Appendix D, page =) TaCle 5% Recommendations Risk 2o. Risk Summary Risk Rating Recommendations 1 Fire -ould acti(ate s$rinkler system causing -ater damage I com$ro> mising the a(ailaCil> ity of BFS. 5oderate 2one. Re$lacing the -et>$i$e s$rinkler system in the BFA 'ata 1enter has Ceen determined to Ce cost>$rohiCiti(e. BFA executi(e management has elected to acce$t this risk. ! 3nauthoriDed use of unneeded user I's could com$romise confidentiality I integrity of BFS data. 5oderate The BFS su$$ort team should follo- BFA & BFS $olicies regarding remo(al of accounts. BFA IR5 should de(elo$ & im$lement a $rocess to (erify that termination $rocedures are carried out in the timeframe s$ecified Cy BFA & BFS $olicy. ) 3nauthoriDed access (ia ad>hoc $ri(ileges could com$romise of confidentiality I integrity of BFS data. 5oderate BFA IR5 should de(elo$ BFS user roles & associated $ri(ileges. &nce de(elo$ed the BFS su$$ort team should im$lement these roles & assign BFS $ri(ileges Cased on role. 9 'enial of ser(ice attack (ia large Cogus $ackets sent to $ort 1.!1 could render BFS una(ailaCle for use. 6igh BFA IR5 staff and the #SI su$$ort team should analyDe -hether re$lacing the existing Intrusion 'etection Systems ?I'S@ -ith an Intrusion #re(ention System is a cost>effecti(e res$onse to this risk. $xample is! Assessment eport Appendix D, page =9 TaCle 5% Recommendations ?continued@ Risk 2o. Risk Summary Risk Rating Recommendations . *x$loitation of un$atched a$$lication security fla-s could com$romise confidentiality I integrity of BFS data. 5oderate The BFS su$$ort team should im$lement $rocedures for re(ie-ing I u$dating (endor> recommended $atches so that $atches ensure are a$$lied in a timely manner. An automated notification $rocess should Ce de(elo$ed to notify the a$$ro$riate indi(iduals of critical u$dates. / *x$loitation of $ass-ords in scri$t I initialiDation files could result in com$romise of con> fidentiality I integrity of BFS data. 5oderate The client soft-are should Ce re-ritten so that clear>text user I's I $ass-ords are not used in scri$t and initialiDation files. " 1om$romise of unex$iredHunchange d $ass-ords could result in com$romise of confidentiality I integrity of BFS data. 5oderate The BFS su$$ort team should enaCle the functionality -ithin &racle to ex$ire $ass-ords I reAuire changes. : 3se of generic BFS accounts could result in com$romise of confidentiality I integrity of sensiti(e BFS data. 6igh The BFS su$$ort team should remo(e all generic accounts from BFS. BFA IR5 should monitor accounts should continue to (erify that no ne- shared accounts are created. , Remote access is not currently used Cy BFSE enaCling this access -hen not necessary could result in com$romise of confidentiality I integrity of sensiti(e BFS data. 6igh As an immediate ste$+ the BFS su$$ort team should disaCle the remote &S feature. As documented in $lanned controls+ the BFA IR5 staff and BFS su$$ort team should -ork to de(elo$ a secure method to allo- remote access to BFS. 10 3nencry$ted $ass-ords could Ce com$romised+ resulting in com$romise of confidentiality I integrity of sensiti(e BFS data. 5oderate The BFS su$$ort team should configure the login encry$tion feature $ro$erly. 11 0oss or theft of 3SB dri(es could result in com$romise of confidentiality of BFS data. 6igh BFA should include the $rohiCition on storing sensiti(e data on remo(aCle media such as 3SB dri(es in the BFA Acce$taCle 3se $olicy+ under de(elo$ment+ and in the BFA Security A-areness and Training $rogram. $xample is! Assessment eport De+elop a list of recommendations related to the ris!s in Table D* $nter the recommendations into $xhibit )* This data entry can be accomplished by cutting and pasting from Table "* Appendix D, page =4 $xample is! Assessment eport : RE'3LT' %OC3MENTATION The final step in the ris! assessment is to complete the is! Assessment "atrix located in $xhibit )* The data gathered in the pre+ious steps should be used to populate the matrix* /nce the ris! assessment has been completed (threat(sources and +ulnerabilities identified, ris!s assessed and controls assessed and recommended), the results should be documented in an official report or management brief* The is! Assessment "atrix located in $xhibit ) ser+es as the basis for preparing the official report or management brief and documenting the ris! assessment results* The ris! assessment report helps senior management, the mission o.ners, ma!es informed decisions on policy, procedural, budget and system operational and management changes* A ris! assessment is not an audit or in+estigation report, .hich often loo!s for .rongdoing and issues findings that can be embarrassing to managers and system o.ners* A ris! assessment is a systematic, analytical tool for identifying security .ea!nesses and calculating ris!* The ris! assessment report should not be presented in an accusatory manner* It should rather be a fran! and open discussion of the obser+ations of the ris! assessment team* Its purpose is to inform senior management of the current threat(+ulnerability en+ironment and the ade8uacy of current and planned security controls* The +alue of a ris! assessment is that it helps senior management to understand the current system exposure so they can allocate resources effecti+ely and efficiently to correct errors and reduce potential losses* The analysis should assess the effectieness of in,$lace or $lanned controls in res$ondin" to the identified risks to the system. 7om$liance with these controls should be ealuated on an annual basis throu"h a security self,assessment. /ther considerations, which are beyond the sco$e of the risk assessment but which may be addressed in the re$ort and should be discussed in the brief, are mana"ement;s assessment and subse5uent correctie action $lan !7AP# to address the identified weaknesses. +or each recommendation mana"ement should9 Assi"n a $riority to the recommendationA Assi"n res$onsibility to an indiidual or identify the de$artment that will be held accountable for im$lementin" the recommendationA Proide a date for initiatin" the recommendationA and Proide a date by which time the recommendations must be fully im$lemented. %omplete the is! Assessment "atrix in $xhibit ) (much of the re8uired data entry can be accomplished by cutting and pasting data from the Tables de+eloped throughout the process)* 2repare an official report or management brief to explain the results of the ris! assessment and pro+ide the rationale for the recommended security controls* Appendix D, page == IT is! "anagement #uideline, Appendix $ < is! Assessment Template Appendix $, 2age =& *xhiCit 1% Risk Assessment 5atrix Risk 2o. VulneraCility Threat Risk Risk Summary Risk 0ikelihood Rating Risk Im$act Rating &(erall Risk Rating Analysis of Rele(ant 1ontrols and &ther Factors Recommendations 1 =et>$i$e s$rinkler system in BFS 'ata 1enter. Fire 1om$romise of BFS a(ailaCility. Fire -ould acti(ate s$rinkler system causing -ater damage I com$ro> mising the a(ailaCility of BFS. 5oderate 6igh 5oderate There are no controls rele(ant to this riskE neither are there any mitigating or exacerCating factors. 2one. Re$lacing the -et>$i$e s$rinkler system in the BFA 'ata 1enter has Ceen determined to Ce cost> $rohiCiti(e. BFA executi(e management has elected to acce$t this risk. ! BFS user identifiers ?I's@ no longer reAuired are not remo(ed from BFS in timely manner. 3nauth- oriDed 3se 1om$romise of confiden> tiality & integrity of BFS data. 3nauthoriDed use of unneeded user I's could com$romise confidential> ity I integrity of BFS data. 5oderate 6igh 5oderate 1ontrols 9.1.. and ".1.9 are in $lace for closing unneeded and unused user accounts+ Cut are not enforced. A mitigating factor is that the risk de$ends on a gaining access to the client a$$lication. #hysical access to the Cuilding+ -orkstation areas+ I net-ork are adeAuately $rotected. The BFS su$$ort team should follo- BFA I BFS $olicies regarding remo(al of accounts. BFA IR5 should de(elo$ I im$lement a $rocess to (erify that termination $rocedures are carried out in the timeframe s$ecified Cy BFA I BFS $olicy. ) BFS access $ri(ileges are granted on an ad>hoc Casis rather than $redefined roles. 3nauthor> iDed Access 1om$romise of confiden> tiality I integrity of BFS data. 3nauthoriDed access (ia ad> hoc $ri(ileges could com$romise of confidentiality I integrity of BFS data. 5oderate 6igh 5oderate 1ontrols 9.1.1 and ".1./ reAuire users to recei(e the minimum access rights needed to $erform BoC functions. These controls are in $lace on an ad>hoc Casis rather than Cased on roles+ as reAuired Cy $olicy. BFA IR5 should de(elo$ BFS user roles & associated $ri(ileges. &nce de(elo$ed the BFS su$$ort team should im$lement these roles & assign BFS $ri(ileges Cased on role. IT is! "anagement #uideline, Appendix $ < is! Assessment Template Appendix $, 2age =6 *xhiCit 1% Risk Assessment 5atrix ?continued@ Risk 2o. VulneraCility Threat Risk Risk Summary Risk 0ikelihood Rating Risk Im$act Rating &(erall Risk Rating Analysis of Rele(ant 1ontrols and &ther Factors Recommendations 9 Bogus T1# $ackets ?J .0000 Cytes@ directed at $ort 1.!1 -ill cause BFS to sto$ res$onding. 5alici> ous 3se 1om> $uter 1rime 1om$romise of BFS a(ailaCility. 'enial of ser(ice attack (ia large Cogus $ackets sent to $ort 1.!1 could render BFS una(ailaCle for use. 5oderate 6igh 5oderate 1ontrol :.!.1 $ro(ides intrusion detection sufficient to detect such an attack. 2o Intrusion #re(ention System ?I#S@ is in $lace to $re(ent such an attack+ ho-e(er. BFA IR5 staff and the #SI su$$ort team should analyDe -hether re$lacing the existing Intrusion 'etection Systems ?I'S@ -ith an Intrusion #re(ention System is a cost> effecti(e res$onse to this risk. . 2e- $atches exist to correct fla-s in a$$lication security design ha(e not Ceen a$$lied. 5alici> ous 3se 1om$> uter 1rime 1om$romise of confiden> tiality I integrity of BFS data. *x$loitation of un>$atched a$$lication security fla-s could com$romise confidentiality I integrity of BFS data. 5oderate 6igh 5oderate 1ontrol :.1.) reAuires that ad(isories I critical $atch releases should Ce monitored. These $rocedures are not follo-ed consistently. A mitigating factor to consider is that occurrence of the risk de$ends on an unauthoriDed userGs gaining access to the internal Agency net-ork. There is an Agency fire-all $rotecting the Internet connection I a 'ata 1enter fire-all $rotecting the 'ata 1enter net-ork. In addition+ dial>in access is limited I strictly controlled. Internal users still $ose a significant threat. The BFS su$$ort team should im$lement $rocedures for re(ie-ing I u$dating (endor>recommended $atches so that $atches ensure are a$$lied in a timely manner. An automated notification $rocess should Ce de(elo$ed to notify the a$$ro$riate indi(iduals of critical u$dates. IT is! "anagement #uideline, Appendix $ < is! Assessment Template Appendix $, 2age =B *xhiCit 1% Risk Assessment 5atrix ?continued@ Risk 2o. VulneraCility Threat Risk Risk Summary Risk 0ikelihood Rating Risk Im$act Rating &(erall Risk Rating Analysis of Rele(ant 1ontrols and &ther Factors Recommendations / 3ser names I $ass-ords are in scri$ts I initialiDa> tion files. 5alici> ous 3se 1om$u> ter 1rime 1om$romise of confiden> tiality I integrity of BFS data. *x$loitation of $ass-ords in scri$t I initialiDation files could result in com$romise of confiden> tiality I integrity of BFS data. 5oderate 6igh 5oderate 1ontrol 9.!., reAuires that clear text $ass-ords must not exist in scri$ts or text files on any system+ Cut is not enforced for BFS. The use of clear text $ass-ords is an inherent -eakness in the client soft-are+ I there is no fix according to the (endor. #hysical $rotections are in $lace to limit access to the Cuilding I user -orkstation areas+ I technical controls are in $lace to limit access to user -orkstations to those indi(iduals -ho ha(e Ceen granted $ermission to logon to Agency systems. The client soft-are should Ce re-ritten so that clear>text user I's I $ass-ords are not used in scri$t and initialiDation files. " #ass-ords are not set to ex$ireE regular $ass-ord changes are not enforced. 5alici> ous 3se 1om$u> ter 1rime 1om$romise of confiden> tiality I integrity of BFS data. 1om$romise of unex$iredH unchanged $ass-ords could result in com$romise of confiden> tiality I integrity of BFS data. 5oderate 6igh 5oderate 1ontrols 9.1.9 and 9.!.9 reAuire regular $ass-ord changes+ Cut are not enforced for BFS. Su$$ort for reAuired $ass-ord changes is Cuilt into the soft-are Cut ha(e not Ceen enaCled. The BFS su$$ort team should enaCle the functionality -ithin &racle to ex$ire $ass-ords I reAuire changes. : K<enericL accounts found in the dataCase ?e.g.+ test+ share+ guest@. 5alici> ous 3se 1om$u> ter 1rime 1om$romise of confiden> tiality I integrity of BFS data. 3se of generic BFS accounts could result in com$romise of confidentiality I integrity of sensiti(e BFS data. 6igh 6igh 6igh 1ontrols 9.1./ and 9.!.: reAuire that shared accounts such as these not Ce used Cut ha(e not enforced for BFS. The BFS su$$ort team should remo(e all generic accounts from BFS. BFA IR5 should monitor accounts should continue to (erify that no ne- shared accounts are created. IT is! "anagement #uideline, Appendix $ < is! Assessment Template Appendix $, 2age =3 *xhiCit 1% Risk Assessment 5atrix ?continued@ Risk 2o. VulneraCility Threat Risk Risk Summary Risk 0ikelihood Rating Risk Im$act Rating &(erall Risk Rating Analysis of Rele(ant 1ontrols and &ther Factors Recommendations , Remote &S authentica> tion is enaCled Cut not used. 5alici> ous 3se 1om$u> ter 1rime 1om$romise of confiden> tiality I integrity of BFS data. Remote access is not currently used Cy BFSE enaCling this access -hen not necessary could result in com$romise of confidentiality I integrity of sensiti(e BFS data. 6igh 6igh 6igh 1ontrol 9.).1 $rohiCits access to BFS from outside the #SI third> $arty net-orkE enaCling remote access in the soft-are (iolates this control. A mitigating factor is that only authoriDed users could access the a$$lication. This mitigating effect of this factor is reduced Cy the unused accounts that continue to exist on BFS. As an immediate ste$+ the BFS su$$ort team should disaCle the remote &S feature. As documented in $lanned controls+ the BFA IR5 staff and BFS su$$ort team should -ork to de(elo$ a secure method to allo- remote access to BFS. 10 0ogin encry$tion setting is not $ro$erly configured. 5alici> ous 3se 1om$u> ter 1rime 1om$romise of confiden> tiality I integrity of BFS data. 3nencry$ted $ass-ords could Ce com$romised+ resulting in com$romise of confidentiality I integrity of sensiti(e BFS data. 5oderate 6igh 5oderate 1ontrols 9.!., and 9...) reAuire encry$tion of $ass-ords+ Cut ha(e not Ceen enforced for BFS. #hysical security $rotections are in $lace that -ould limit the aCility to sniff the net-ork to ex$loit this (ulneraCility. The BFS su$$ort team should configure the login encry$tion feature $ro$erly. 11 Sensiti(e BFS data is stored on 3SB dri(es 5alici> ous 3se 1om$u> ter 1rime 1om$romise of confiden> tiality of BFS data. 0oss or theft of 3SB dri(es could result in com$romise of confidentiality of BFS data. 6igh 6igh 6igh 1ontrol 9.9.! $rohiCits storage of sensiti(e BFS data on $ortaCle media such as 3SB dri(es+ Cut has not Ceen enforced for BFS. BFA should include the $rohiCition on storing sensiti(e data on remo(aCle media such as 3SB dri(es in the BFA Acce$taCle 3se $olicy+ under de(elo$ment+ and in the BFA Security A-areness and Training $rogram. RI'8 A''E''MENT RE2ORT TEM2LATE Information Technology Ris! Assessment For Appendix $, 2age =A is! Assessment eport Risk Assessment Annual Document Review History The Risk Assessment is revieed! at least annually! and the date and revieer recorded on the table belo" Revie #ate Revieer i is! Assessment eport TA1LE OF CONTENT' * , INTRO%3CTION66666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666> / IT ';'TEM CHARACTERI<ATION6666666666666666666666666666666666666666666666666666666666666666666666666: = RI'8 I%ENTIFICATION66666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666,9 9 CONTROL ANAL;'I'66666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666/) ( RI'8 LI8ELIHOO% %ETERMINATION666666666666666666666666666666666666666666666666666666666666666=/ * RI'8 IM2ACT ANAL;'I'6666666666666666666666666666666666666666666666666666666666666666666666666666666666666666=( > OVERALL RI'8 %ETERMINATION6666666666666666666666666666666666666666666666666666666666666666666666=? ? RECOMMEN%ATION'66666666666666666666666666666666666666666666666666666666666666666666666666666666666666666666669, : RE'3LT' %OC3MENTATION6666666666666666666666666666666666666666666666666666666666666666666666666666666699 I%ENTIFICATION OF V3LNERA1ILITIE'6666666666666666666666666666666666666666666666666666666666666( I%ENTIFICATION OF THREAT'66666666666666666666666666666666666666666666666666666666666666666666666666666666( I%ENTIFICATION OF RI'8'6666666666666666666666666666666666666666666666666666666666666666666666666666666666666666( ,* LI'T OF E7HI1IT' LI'T OF FIG3RE' FIG3RE , & IT ';'TEM 1O3N%AR; %IAGRAM66666666666666666666666666666666666666666666666666669 FIG3RE / & INFORMATION FLOW %IAGRAM66666666666666666666666666666666666666666666666666666669 ii is! Assessment eport LI'T OF TA1LE' TA1LE A. RI'8 CLA''IFICATION'6666666666666666666666666666666666666666666666666666666666666666666666666, TA1LE 1. IT ';'TEM INVENTOR; AN% %EFINITION 66666666666666666666666666666666666666/ TA1LE C. THREAT' I%ENTIFIE%66666666666666666666666666666666666666666666666666666666666666666666666666666( TA1LE %. V3LNERA1ILITIE'4 THREAT'4 AN% RI'8'666666666666666666666666666666666666666* TA1LE E. 'EC3RIT; CONTROL'66666666666666666666666666666666666666666666666666666666666666666666666666666> TA1LE F. RI'8'+CONTROL'+FACTOR' CORRELATION66666666666666666666666666666666666: TA1LE G. RI'8 LI8ELIHOO% %EFINITION'666666666666666666666666666666666666666666666666666666,) TA1LE H. RI'8 LI8ELIHOO% RATING'66666666666666666666666666666666666666666666666666666666666666,) TA1LE I. RI'8 IM2ACT RATING %EFINITION'66666666666666666666666666666666666666666666666666,/ TA1LE @. RI'8 IM2ACT ANAL;'I'66666666666666666666666666666666666666666666666666666666666666666666666,/ TA1LE 8. OVERALL RI'8 RATING MATRI766666666666666666666666666666666666666666666666666666,9 TA1LE L. OVERALL RI'8 RATING' TA1LE6666666666666666666666666666666666666666666666666666666,9 TA1LE M. RECOMMEN%ATION'666666666666666666666666666666666666666666666666666666666666666666666666666,* iii , INTRO%3CTION is! assessment participants7 2articipant roles in the ris! assessment in relation assigned agency responsibilities7 is! assessment techni8ues used7 TaCle A% Risk 1lassifications Risk 0e(el Risk 'escri$tion I 2ecessary Actions 6igh The loss of confidentiality+ integrity+ or a(ailaCility could Ce ex$ected to ha(e a se(ere or catastro$hic ad(erse effect on organiDational o$erations+ organiDational assets or indi(iduals. 5oderate The loss of confidentiality+ integrity+ or a(ailaCility could Ce ex$ected to ha(e a serious ad(erse effect on organiDational o$erations+ organiDational assets or indi(iduals. 0o- The loss of confidentiality+ integrity+ or a(ailaCility could Ce ex$ected to ha(e a limited ad(erse effect on organiDational o$erations+ organiDational assets or indi(iduals. / IT ';'TEM CHARACTERI<ATION TaCle B% IT System In(entory and 'efinition IT System Inventory and Definition Document I. IT System Identification and Ownership IT System ID IT System Common ame Owned By !hysica" Location #a$or Business Function System Owner !hone um%er System Administrator&s' !hone um%er Data Owner&s' !hone um%er&s' Data Custodian&s' !hone um%er&s' Other (e"evant Information II. IT System Boundary and Components IT System Description and Components IT System Interfaces IT System Boundary III. IT System Interconnections &add additiona" "ines0 as needed' A)ency or Or)ani*ation IT System ame IT System ID IT System Owner Interconnection Security A)reement Status I+. IT System and Data Sensitivity &add additiona" "ines0 as needed' Type of Data Sensitivity (atin)s Inc"ude (ationa"e for each (atin) Confidentia"ity Inte)rity Avai"a%i"ity Overa"" IT System Sensitivity (atin) and Overa"" IT System Sensitivity (atin) Must be high if sensitivity of any data type is rated high on any criterion ,I-, #ODE(ATE LO. IT System C"assification Must be Sensitive if overall sensitivity is high; consider as Sensitive if overall C"assification sensitivity is moderate SESITI+E O/SESITI+E Description or diagram of the system and net.or! architecture, including all components of the system and communications lin!s connecting the components of the system, associated data communications and net.or!s7 Figure 1 IT System Boundary Diagram Description or a diagram depicting the flo. of information to and from the IT system, including inputs and outputs to the IT system and any other interfaces that exist to the system7 Figure 2 Information Flow Diagram = RI'8 I%ENTIFICATION I"entification of VlneraAilities Vulnerabilities .ere identified by7 I"entification of Threats Threats .ere identified by7 The threats identified are listed in Table %* TaCle 1% Threats Identified I"entification of Ris!s is!s .ere identified by7 The .ay +ulnerabilities combine .ith credible threats to create ris!s is identified Table D* TaCle '% VulneraCilities+ Threats+ and Risks Risk 2o. VulneraCility Threat Risk of 1om$romise of Risk Summary , / = 9 ( * > ? : ,) ,, ,/ ,= ,9 ,( ,* ,> ,? ,: /) /, // /= /9 /( 9 CONTROL ANAL;'I' Table $ documents the IT security controls in place and planned for the IT system* TaCle *% Security 1ontrols 1ontrol Area In>#laceH #lanned 'escri$tion of 1ontrols 1 Risk 5anagement 1.1 IT Security Roles I Res$onsiCilities 1.! Business Im$act Analysis 1.) IT System I 'ata Sensiti(ity 1lassification 1.9 IT System In(entory I 'efinition 1.. Risk Assessment 1./ IT Security Audits ! IT 1ontingency #lanning !.1 1ontinuity of &$erations #lanning !.! IT 'isaster Reco(ery #lanning !.) IT System I 'ata Backu$ I Restoration ) IT Systems Security ).1 IT System 6ardening ).! IT Systems Intero$eraCility Security ).) 5alicious 1ode #rotection ).9 IT Systems 'e(elo$ment 0ife 1ycle Security 9 0ogical Access 1ontrol 1ontrol Area In>#laceH #lanned 'escri$tion of 1ontrols 9.1 Account 5anagement 9.! #ass-ord 5anagement 9.) Remote Access . 'ata #rotection 9.9 'ata Storage 5edia #rotection 9.. *ncry$tion / Facilities Security /.1 Facilities Security " #ersonnel Security ".1 Access 'etermination I 1ontrol ".! IT Security A-areness I Training ".) Acce$taCle 3se : Threat 5anagement :.1 Threat 'etection :.! Incident 6andling :.) Security 5onitoring I 0ogging , IT Asset 5anagement ,.1 IT Asset 1ontrol ,.! Soft-are 0icense 5anagement ,.) 1onfiguration 5anagement I 1hange 1ontrol Table $ correlates the ris!s identified in Table % .ith rele+ant IT security controls documented in Table D and .ith other mitigating or exacerbating factors* TaCle F% Risks>1ontrols>Factors 1orrelation Risk 2o. Risk Summary 1orrelation of Rele(ant 1ontrols I &ther Factors , 1 2 3 4 5 6 7 8 9: 99 91 92 93 94 95 96 97 98 1: 19 11 12 13 14 ( RI'8 LI8ELIHOO% %ETERMINATION Table # defines the ris! li!elihood ratings* TaCle <% Risk 0ikelihood 'efinitions *ffecti(eness of 1ontrols #roCaCility of Threat &ccurrence ?2atural or *n(ironmental Threats@ or Threat 5oti(ation and 1a$aCility ?6uman Threats@ 0o- 5oderate 6igh 0o- 5oderate 6igh 6igh 5oderate 0o- 5oderate 6igh 6igh 0o- 0o- 5oderate Table #, e+aluates the effecti+eness of controls and the probability or moti+ation and capability of each threat to :;S and assigns li!elihood, as defined in Table ;, to each ris! documented in Table %* TaCle 6% Risk 0ikelihood Ratings Risk 2o. Risk Summary Risk 0ikelihood *(aluation Risk 0ikelihood Rating , 1 2 3 4 5 6 7 8 9: 99 91 92 Risk 2o. Risk Summary Risk 0ikelihood *(aluation Risk 0ikelihood Rating 93 94 95 96 97 98 1: 19 11 12 13 14 * IM2ACT ANAL;'I' Table I documents the ratings used to e+aluate the impact of ris!s* TaCle I% Risk Im$act Rating 'efinitions 5agnitude of Im$act Im$act 'efinition 6igh &ccurrence of the risk% ?1@ may result in human death or serious inBuryE ?!@ may result in the loss of maBor 1&V tangiCle assets+ resources or sensiti(e dataE or ?)@ may significantly harm+ or im$ede the 1&VGs mission+ re$utation+ or interest. 5oderate &ccurrence of the risk% ?1@ may result in human inBuryE ?!@ may result in the costly loss of 1&V tangiCle assets or resourcesE or ?)@ may (iolate+ harm+ or im$ede the 1&VGs mission+ re$utation+ or interest. 0o- &ccurrence of the risk% ?1@ may result in the loss of some tangiCle 1&V assets or resources or ?!@ may noticeaCly affect the 1&VGs mission+ re$utation+ or interest. Table F documents the results of the impact analysis, including the estimated impact for each ris! identified in Table D and the impact rating assigned to the ris!* TaCle % Risk Im$act Analysis Risk 2o. Risk Summary Risk Im$act Risk Im$act Rating , / = 9 ( * > ? : ,) ,, ,/ ,= ,9 ,( ,* Risk 2o. Risk Summary Risk Im$act Risk Im$act Rating ,> ,? ,: /) /, // /= /9 /( Description of process used in determining impact ratings7 7 RI'8 %ETERMINATION Table K documents the criteria used in determining overall ris ratings! TaCle 8% &(erall Risk Rating 5atrix Risk 0ikelihood Risk Im$act 0o- ?10@ 5oderate ?.0@ 6igh ?100@ 6igh ?1.0@ 0o- 10 x 1.0 O 10 5oderate .0 x 1.0 O .0 6igh 100 x 1.0 O 100 5oderate ?0..@ 0o- 10 x 0.. O . 5oderate .0 x 0.. O !. 5oderate 100 x 0.. O .0 0o- ?0.1@ 0o- 10 x 0.1 O 1 0o- .0 x 0.1 O . 0o- 100 x 0.1 O 10 Risk Scale% 0o- ?1 to 10@E 5oderate ?J10 to .0@E 6igh ?J.0 to 100@ Table " assigns an overall ris rating# as defined in Ta$le K# to each of the riss documented in Ta$le D! TaCle 0% &(erall Risk Ratings TaCle Risk 2o. Risk Summary Risk 0ikelihood Rating Risk Im$act Rating &(erall Risk Rating , / = 9 ( * > ? : ,) ,, ,/ ,= ,9 ,( ,* ,> ,? Risk 2o. Risk Summary Risk 0ikelihood Rating Risk Im$act Rating &(erall Risk Rating ,: /) /, // /= /9 /( Description of process used in determining o+erall ris! ratings7 % RECOMMEN%ATION' Table " documents recommendations for the ris!s identified in Table D* TaCle 5% Recommendations Risk 2o. Risk Risk Rating Recommendations , / = 9 ( * > ? : ,) ,, ,/ ,= ,9 ,( ,* ,> ,? ,: /) /, // /= /9 /( $T Risk Management %uideline! Appendi& ' ( Risk Assessment Template : RE'3LT' %OC3MENTATION E$hiAit ,. Ris! Assessment Matri$ Risk 2o. VulneraCility Threat Risk Risk Summary Risk 0ikelihood Rating Risk Im$act Rating &(erall Risk Rating Analysis of Rele(ant 1ontrols and &ther Factors Recommendations , / = 9 ( * > ? : ,) ,, ,/ ,= ,9 ,( ,* ,> ,? ,: /) /, // /= /9 /(